Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 15:57
Static task
static1
Behavioral task
behavioral1
Sample
cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Resource
win10v2004-20241007-en
General
-
Target
cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
-
Size
78KB
-
MD5
a2b0dee2daf2170c258fc68533075f86
-
SHA1
dbc5cd5b0fded25549ebadf2cf47c3a2558a3c3d
-
SHA256
cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940
-
SHA512
aa3ccbc8f3a6ffc19f9fadc64de394b9ab8d7b257566926c6d8faa1b9ac2843a3d0ffc1ccf74a8ab987c861e79101955fae32cda68fccec04111c0f667595b4d
-
SSDEEP
1536:o5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96+9/9t1m6U:o5jSpSyRxvhTzXPvCbW2UZ9/9pU
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2752 tmp9E04.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp9E04.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9E04.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe Token: SeDebugPrivilege 2752 tmp9E04.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1240 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 30 PID 2272 wrote to memory of 1240 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 30 PID 2272 wrote to memory of 1240 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 30 PID 2272 wrote to memory of 1240 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 30 PID 1240 wrote to memory of 2192 1240 vbc.exe 32 PID 1240 wrote to memory of 2192 1240 vbc.exe 32 PID 1240 wrote to memory of 2192 1240 vbc.exe 32 PID 1240 wrote to memory of 2192 1240 vbc.exe 32 PID 2272 wrote to memory of 2752 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 33 PID 2272 wrote to memory of 2752 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 33 PID 2272 wrote to memory of 2752 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 33 PID 2272 wrote to memory of 2752 2272 cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe"C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\darn31dp.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F4B.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9E04.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9E04.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51cce4b213825f9c1d17c7255b9c5ea17
SHA1578b7fcf434b0fc42b3be6d84f546d8ac3191e86
SHA2564cd6af18c6a3ba10e4971662a6a5864058d3a3184a30e81e72514a09c88531e2
SHA512b64ecdc8aa12e998f18f18c4a3abf75f7d9cfe31af023568e326c3dd3bdcb1e7d0b000905fcd2439d954fedcc165974d39983134b7dfe6d99cc8c5a7a6156306
-
Filesize
14KB
MD5b9175235b3467ca6c2b04c9baf91e339
SHA1824e9b1534085673195b8ee77ca4164851d3c39c
SHA25661668875ea9cde2fe82d7fa94cd435c1b4bf7edd2538ceda39aaaab68c806e4d
SHA512458e1379292d786398922e354c456dd83a1d379305f367c474cca7964ffe4652ebb36ddc1ebc2e0afd99749031a6389005644c6f0df652974e6a26b8da2aa837
-
Filesize
266B
MD5f86332d99a205a49ff4d9d6f8b4d571e
SHA111c246b0187e2a51dd2306b55c8b2cd24a600bba
SHA2560bf504bfc2dac2a9d1b92afd76cc68d0a933f17474061cd305348779451ea3b3
SHA512ada593c130941e78329f35d3af5cb6e1b1cb762efe71129cf2d8f7e1f174d136a1badbddd647829583d0f0f01c3e96c8f604644d9f5ae64a9ed3f25fbc4516fe
-
Filesize
78KB
MD5d74f887396ff7417943fd743aa78b9d0
SHA149628f7d2a32e1512a1abe127309c8981e5f986d
SHA2567415a9f690603715ec997cdf49501e9ae92895cc33bd211338250246552cb909
SHA51272115f08c6cb5626c601b5796d6f3c770b91db362e455af4fb391515c0ca74f5ef6743db8d008844c8699d8a5239c9f36b5609eca627b7d8fc9eb637a3e9ebe6
-
Filesize
660B
MD5db8d7d98df1d1ee87c2647da0e32a876
SHA11e646d74def2452cdad4ef8b0d7b24af145644bb
SHA256f0f1a693a4658902979faa4c1f22532f1ef782445ce49d31be1595f0ebc1a98d
SHA512c37e3ebc85f7e772a2377a90514c89d5999a8a00006b08326ce9c01d649a449f17c8a1c418aa51eea371d5d2e27f97a6f9935448f1b74e01b58c9877680d5872
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c