Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
Resource
win10v2004-20241007-en
General
-
Target
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
-
Size
78KB
-
MD5
fa1f726c2bd7e3e3053ec9c9f2b2fcda
-
SHA1
4f7eaa0f880d1cbe4c48a8dd8ff11f1f3ec97dd0
-
SHA256
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81
-
SHA512
140f7b066c9654e55ae7c842a3a6bba3e016848f19e0dc22162371c47afbd103edc7365201115dd40047167192c68a4c35ec52066f9c8d0718cd76c544e32d47
-
SSDEEP
1536:oV5jS6XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6zP9/p1qhC:oV5jSiSyRxvY3md+dWWZybP9/eC
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2852 tmpF45D.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpF45D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF45D.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe Token: SeDebugPrivilege 2852 tmpF45D.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2752 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 30 PID 2424 wrote to memory of 2752 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 30 PID 2424 wrote to memory of 2752 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 30 PID 2424 wrote to memory of 2752 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 30 PID 2752 wrote to memory of 2948 2752 vbc.exe 32 PID 2752 wrote to memory of 2948 2752 vbc.exe 32 PID 2752 wrote to memory of 2948 2752 vbc.exe 32 PID 2752 wrote to memory of 2948 2752 vbc.exe 32 PID 2424 wrote to memory of 2852 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 33 PID 2424 wrote to memory of 2852 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 33 PID 2424 wrote to memory of 2852 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 33 PID 2424 wrote to memory of 2852 2424 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe"C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jfhttx45.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF671.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF660.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5545a3b04f193a0302b0ba4ed024baeb0
SHA1603165bb9fd589b2acd8f1335acad8601d25592e
SHA2567cc40b56519f0af72adb1e82a2bfd9638579718a40a2d874c2446fb1da46f89a
SHA5122bb64393be90e2163b687be154543533e9de8f305cb8d140db310ca86ec5fd631817df4e40934a9c715cb4a98b011a9f74e5da6bdb4cc441beea4e9243ece796
-
Filesize
14KB
MD588d4a0f11222e255de0ae6f785e2e569
SHA1984a04f946981b31b5d13cd03fe0ddf18f1fb310
SHA25605d784d44b963c5372438aced1321e6c2271c440f55eaabb89b5a6b43dce9f19
SHA512edda836c4e590ad0b35c3644d06256b7141b418212a986771a8cd6f6583ffe11d426aa40201634a15493c77300feb22687f0b63733d572997550dbb445b6914c
-
Filesize
266B
MD5cb236c087b38627c7c6ed408952c783e
SHA15c6e5f0e77d9964027754d957235a03117e7a06a
SHA256b5631411999e468d6bf7e55c06f343f8b4f97097e8083af7c3f372834623dcd2
SHA51292b5d2448f1ce155354fded44ace9500abf4269178fced1493413b04354d504e45d079c460f7751642fb77cd9746219c432224cd3d2886dbda929aeaaa72d2a8
-
Filesize
78KB
MD5f37bb729b65605dbcb4a986751420c64
SHA18e0ea1610cc198177819c9037f796c9290391a7a
SHA256799cbb02b351d8503b81b96cd76aa67642376531a39001b3804086eced025048
SHA512f6bfb55741279488ae250588a09782f57575d47dd8335fbd3f0d6da77d329e96f85c553f8e724c29147d40a13ce4755d24a5cd9838d2954fa93f676fd50637cb
-
Filesize
660B
MD59288a05682d4e49441547829a4072839
SHA1869c6a30af3505462c43a9cd9a91f13d240d435f
SHA256a80c679b9e13e4dc0862706d47e4b7f4ff21638c99e14a513ae3a713aef9b4f2
SHA5121f21f571da56752f45506e9f145c8f16a192e797987c52851d6ec1b34fc192c5a6d7d3b29b749e3bedcfb48fb484a91baa0559e2133191e4e34dbcdb641772ab
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107