Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 23:17
Static task
static1
Behavioral task
behavioral1
Sample
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
Resource
win10v2004-20241007-en
General
-
Target
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
-
Size
78KB
-
MD5
572af0c2681ed64595528c7bcb1f22b8
-
SHA1
42a3442c0b9f911a3c7cf4848d0a32c0e4abc795
-
SHA256
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6
-
SHA512
d14f3acf669745ca895c89f2fd8c3a6b4bf0a3c590ccf8b5d328e6f7cd3558dd58d5e3ae7a04f760b46f09d82792615e678fc7486d34afd1361152413c9e4357
-
SSDEEP
1536:/Py5jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96V9/H1AS:/Py5jS/SyRxvhTzXPvCbW2Ua9/R
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2480 tmpB358.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpB358.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB358.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe Token: SeDebugPrivilege 2480 tmpB358.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2580 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 30 PID 2140 wrote to memory of 2580 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 30 PID 2140 wrote to memory of 2580 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 30 PID 2140 wrote to memory of 2580 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 30 PID 2580 wrote to memory of 2324 2580 vbc.exe 32 PID 2580 wrote to memory of 2324 2580 vbc.exe 32 PID 2580 wrote to memory of 2324 2580 vbc.exe 32 PID 2580 wrote to memory of 2324 2580 vbc.exe 32 PID 2140 wrote to memory of 2480 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 33 PID 2140 wrote to memory of 2480 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 33 PID 2140 wrote to memory of 2480 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 33 PID 2140 wrote to memory of 2480 2140 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe"C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\14pak9gm.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB452.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB451.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB358.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB358.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD501b563edd0bd58ac8a62ee0f6401568b
SHA11531a1bdb95395ff798ffcaa76a3bc232fd46f35
SHA25695724dd080dc062535fe449ffbbff807ae1b824844f7267d1017e0562487f1ac
SHA5126e1ed85bfea3e502d2169f34e2cb56de852feb690f692955f446731747d8baed138de375671d4f7018bae823d80a8649ff6e2a03367e73f5f6899bbfe654f825
-
Filesize
266B
MD55518864ec17482f18d9e70a9e94b55c0
SHA18f31169e8443e9cfccdf89b6b78404701cbec600
SHA25658b508c393c5058aed61fd8866258d6b4c38bcfc20d17ab5de4e81abd0846892
SHA5120f977768ea180a139ba6792f52c147621a5ec7abb30e056a95f1d0851cac29596ae6dd9aab2cb4c93f928f06162aa3e0aef515bd753e9e74541949056615cfa7
-
Filesize
1KB
MD51a0194656b968ccf8b613a3186531b3e
SHA11d602725311c8dd5382074ae77e3fca21158f1d4
SHA256e4b657cdeeba4e41bee0dc477c09d72e91fce6cb40ce5d3a943e760df6762baa
SHA51216cfcc30f26f53dad084eab3d4da3c7cdcffbce02967bbba1107a2a24576e8e9f1ad90286684e15323949f2698486003314d879ca4760e0cc06c658d3dd80bd5
-
Filesize
78KB
MD5f22335ef09c21e5ffa5ee5aa7c0373c2
SHA1929999ea3ebb2022e260b96b2ea013d208978228
SHA25649bcd88e7ddcbd9c4fe4c4d92b17a754e5d36449070fdbcd405694fb514245d2
SHA512994c07cbc0458d39000472454eaacbb716567677d6ed16e38f72ee9a0f78ce548486a7b468504995d9c6e49caae2b08db95a0bfcf178c81ec600b14de9bde8db
-
Filesize
660B
MD59efa1fb81ec4456db7a3026da4945d12
SHA1fc3cffb7e045c03081b0da6376923fe9acfe4b7d
SHA2569d41a0fc96497d1e329ae886ea686c0f1a155f201b449d0c0215b9015103fad5
SHA5125c31dae5991090542952b1263b514da23bbd743732db5679a9bc206e89215fe58346fd09aabc628669a18147f53ff13bf7a01a124cae941c8bb9d63caf57edb0
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c