Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Resource
win10v2004-20241007-en
General
-
Target
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
-
Size
78KB
-
MD5
23dafd8e528d068d04df141bcc9de510
-
SHA1
25c0b269b1ea02be114dee089d86b970fa631184
-
SHA256
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e
-
SHA512
34a6070bca3c1f86c6a48e6b50dd81b84d4d32be500e92d344bd6a6695326affa26091626b0c0abcfeab166f2f811abada69e95761921c4f9aa80d0815a36257
-
SSDEEP
1536:EzWV59XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96CV9/JN1uNL:qWV5tSyRxvY3md+dWWZyfV9/JaL
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1448 tmp5C24.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp5C24.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5C24.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe Token: SeDebugPrivilege 1448 tmp5C24.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2736 wrote to memory of 1232 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 28 PID 2736 wrote to memory of 1232 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 28 PID 2736 wrote to memory of 1232 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 28 PID 2736 wrote to memory of 1232 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 28 PID 1232 wrote to memory of 2696 1232 vbc.exe 30 PID 1232 wrote to memory of 2696 1232 vbc.exe 30 PID 1232 wrote to memory of 2696 1232 vbc.exe 30 PID 1232 wrote to memory of 2696 1232 vbc.exe 30 PID 2736 wrote to memory of 1448 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 31 PID 2736 wrote to memory of 1448 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 31 PID 2736 wrote to memory of 1448 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 31 PID 2736 wrote to memory of 1448 2736 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe"C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i6mmzi1k.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D8B.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5394c2d4c69136187dc0c12aac1d7fb11
SHA113475cd9332d83125a5e9fa2b60c0feb1788cb9e
SHA256495ab17ee2c1b58ea67cf2b3fe7937f3d9732953f78c80a9910b0563e22be557
SHA512a646d2d92ce30fbc8916ca3a595c06e8188d0b83bdd747a0248db5360e42da666d1ccc7b312eae499f570417f22055af89198d85bd8bd2555f161c65520d466a
-
Filesize
14KB
MD5998c3e0c0a34bc3ac4d5542b7f386a6f
SHA11f0c2605a3c0a6aab42c08bfd6021511af41b2b3
SHA256102f1ccc6d2a3b8d9b3c183d23e0ea5238458da9ec4729c6b15cdf5f12f18d89
SHA512734ec3f2d25745860270f0d26d42f27461d9da63b3202834dc0b54c7ee1000ffbbe3d3c2f7b0bb495810b32e7d1988a8093bb5d036997ffd27ce9b9fd9eef394
-
Filesize
266B
MD5580ca7d9d79d6a7283d5e3ec6461a50b
SHA1975d3ab130eef59a377e79cc9a41a54905388b90
SHA256493985385e30eba539dcd1577a2fed8df1369c11d916bfb88eb7ec1ac2af8b62
SHA51254174b784e2d0217c7aafb4bda80fe87affebcbeab352d4266cf41b949357391fb770a0491792a4da272ea5df6ecffcfe8e9321baa16d03b55e3f56c5934a103
-
Filesize
78KB
MD5cec3fc96af7b172eb62b5941cf26c183
SHA1c07174a8ab00d1554dc7d3aa018636b4228dcc03
SHA2561b5a96dacf76f2d352de6f352accde2abdf78161d58c9a3ac231a104d7ded942
SHA5124a3df8ea4f093d7f8c40dfbc922a1f4b9846589eaf6764f995d537ce251b5b7141c2084e147e151d74558ea0f32a95a888be63482bd375d75ee4ea4a2507bf09
-
Filesize
660B
MD52a5d143257da217de97c68472386d86c
SHA1044f43f1a966ccf84a30826a42bc2bfe107fcc2c
SHA2568b6d24301be350705ab62168fcb75a4337520f7b38b76c6186f9eb2213ed89ad
SHA5123b433055d665871ad58403ece2dd2b22517ef1edec1bc3b62a2ae83aa3700992edcf386b71a2d69a1ef3685562b7861b3b6d48e97356ae5715b06a7ce221417e
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107