Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
Resource
win10v2004-20241007-en
General
-
Target
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
-
Size
78KB
-
MD5
572af0c2681ed64595528c7bcb1f22b8
-
SHA1
42a3442c0b9f911a3c7cf4848d0a32c0e4abc795
-
SHA256
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6
-
SHA512
d14f3acf669745ca895c89f2fd8c3a6b4bf0a3c590ccf8b5d328e6f7cd3558dd58d5e3ae7a04f760b46f09d82792615e678fc7486d34afd1361152413c9e4357
-
SSDEEP
1536:/Py5jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96V9/H1AS:/Py5jS/SyRxvhTzXPvCbW2Ua9/R
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2720 tmpEB1A.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpEB1A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEB1A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe Token: SeDebugPrivilege 2720 tmpEB1A.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2600 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 31 PID 2460 wrote to memory of 2600 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 31 PID 2460 wrote to memory of 2600 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 31 PID 2460 wrote to memory of 2600 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 31 PID 2600 wrote to memory of 2608 2600 vbc.exe 33 PID 2600 wrote to memory of 2608 2600 vbc.exe 33 PID 2600 wrote to memory of 2608 2600 vbc.exe 33 PID 2600 wrote to memory of 2608 2600 vbc.exe 33 PID 2460 wrote to memory of 2720 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 34 PID 2460 wrote to memory of 2720 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 34 PID 2460 wrote to memory of 2720 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 34 PID 2460 wrote to memory of 2720 2460 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe"C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3vyutvi.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC23.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEB1A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEB1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ecb95144f34f44b9849a648cb92f4778
SHA1b8e8743ce2092464545b0857d51790c6a5d32c6c
SHA256774cf023aeb95c66f89965c8fb77ddaa2d75e061acd64ebf9101c9eb32302515
SHA512606992617f4553a6e751e798987bdac0a01f007fb55365b36d9b18cb1e4e32a15f1b2a996a6945bbea16f14d2f36d0ebf7d7a88672e90995ad75bac1b9449873
-
Filesize
14KB
MD5c7f837c3e95367fc8f8143aa892614af
SHA110efdad38f50f5d4d74003d152fccd0c86dcef3f
SHA2567b894580ab7a7780821cb5ba2a2cbb1657417c7a025e6289fccd10d01634a67b
SHA51230e53c7c4138f8195f6f9deadb2593d6525679cd8683d30c012cee45d431cc7665e6b68b61611512518e29937b4473505216ca140452132a8fce46343127b437
-
Filesize
266B
MD5339e949af8e09bc3207701bd1c5fe4b1
SHA1a235cbf9df5462d3d211d57429e36d8fe022f5cf
SHA25601f1f99560beed6f9d178efa713557e227bed2c71d2e81c089bd627d8864a57d
SHA5129c3dd801819bd0333f58ba73153a52f3916558e2cb0d3ee8d84c5a4b1657b2da23a927dba0ad31c13d13a8f938c152bb283b3e1fd0600ad2b022f1d30bf3523f
-
Filesize
78KB
MD518fdb6b605f5bbd01d4d359133c376a4
SHA189aae55bb201d1fee8a133febf0aae927c1e10f3
SHA256bf36098d7f09dba5359b9ca8c5a6c8cecbc81b564aa6285080e6fbdaad96fa09
SHA51237007dbac16426af4d762c5fafa5e459286d1044ab4d746ff0d11d5b2a276b1a8ea178dd526825e0648d0568fb31465311faea6fcf8ed6f65a6227d80e3a5359
-
Filesize
660B
MD533534d3bb2a9eac054afef0070080fe7
SHA1030b90658356896886df8fdff7011a20a123911f
SHA2560669b140d7347ed07d1cbac2594eebea145dacebfcaa12e2d681892c0403544e
SHA512ae4dfa1613fa820c79dd8ed70d7b55ac4150da67fe7368a862827e962900712441deb8dcdae8a545b95a9cfae0a0dc16ad2f2810e7cbd538b29d53317b16e172
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c