Analysis
-
max time kernel
131s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 02:44
Static task
static1
Behavioral task
behavioral1
Sample
cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
Resource
win10v2004-20241007-en
General
-
Target
cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
-
Size
78KB
-
MD5
ff8f48e89cdd1f1bb1373e4030cf36dc
-
SHA1
d1e97a665c5ea8c2d6ade1a6438217993795b1d5
-
SHA256
cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f
-
SHA512
15bfe443c92bbd35e940c04704cdede2e53fe07e11f2e778ca61943324cbceb635eb2155d254181c9d6644db0601f6d528661a205a6ee238aa1935ab9e5a625d
-
SSDEEP
1536:YoRWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMu9/SG:fRWtH/3ZAtWDDILJLovbicqOq3o+nMup
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2696 tmpA6E9.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpA6E9.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA6E9.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe Token: SeDebugPrivilege 2696 tmpA6E9.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1880 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 30 PID 1732 wrote to memory of 1880 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 30 PID 1732 wrote to memory of 1880 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 30 PID 1732 wrote to memory of 1880 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 30 PID 1880 wrote to memory of 2332 1880 vbc.exe 32 PID 1880 wrote to memory of 2332 1880 vbc.exe 32 PID 1880 wrote to memory of 2332 1880 vbc.exe 32 PID 1880 wrote to memory of 2332 1880 vbc.exe 32 PID 1732 wrote to memory of 2696 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 33 PID 1732 wrote to memory of 2696 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 33 PID 1732 wrote to memory of 2696 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 33 PID 1732 wrote to memory of 2696 1732 cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe"C:\Users\Admin\AppData\Local\Temp\cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rlzmz1ii.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA6E9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6E9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eae45deb2e4a1418b663cdce6f252e1e
SHA1ebff4655fc1398f9c3570484ddcd9b48cfa2f853
SHA25626b15615624c7f1ccd82d63637db783d2b14ba335b6fc19bd840893c396ac841
SHA51237e95d0e77d69b74b4d80ebb8db8251847edff71b19e6c5b108783bfcbee762b05877e5aa72301d98bf840e1a3091e87b145f19acf0a9e4a6a1d74084b125304
-
Filesize
15KB
MD547fcd62d00e3382db65d13d189c2d876
SHA16792e42d8c145e70c55b1c4f3897fb7b7fe0f27c
SHA256737a276a97bb33f7f07f9561c7a7d1120daa06731428f0592889c26406f81176
SHA5122bcf5fa80eb7e00ead31203039d5b7a0be8a63b845a7cde800093e1732353e6cf1828bed85a705036673ec8d097b003fc0d25fe9245dd2bbc128485aa9d20f0f
-
Filesize
266B
MD587e4df516c83c69f6d9a7f86c73cf6fb
SHA1d23ac194b6c4084946eafdb8bb3d66a18cf99d5e
SHA256f4de14ed032ae0e8f535efa1ff79410fce13a24787aaddfa27dacaae67a1cc1d
SHA512171524f38497de67e3bee1f8e4fd8254c4eeadc8ab3628ce9b92e79fd8601c1e7f3f8c27476e4cf4ddd93460e5b3c286595cccb80bd3032a97a4a44223e4c369
-
Filesize
78KB
MD5d9c726d0974ab75e59b3d9100d307789
SHA1286ed31cd81db35376d3f771a4a85cdfaa75dc3a
SHA256a2e1e8b46941165da9c7a40586d7b4ddceda6066cacbb49c6808ed4a7bc30c3a
SHA512c4f2ea5ce8ea72fc00b9843ac229fe30e02a1c745548fc25190052be34f2e026eb40743613df8ad1b167eb6e4b89190841dde1f23842e96293659a9be7c977ef
-
Filesize
660B
MD528525c6f82ce04043dbfbade93426555
SHA1129d824bdec58a0e01780b0d3866d93c237ac267
SHA2563eecf32df6fdfcd993471a6d9158c012538133c25ffe51c36bb57d03d5249a57
SHA5128018c52e647552f468e57478157a4a4ecbdfff51bb18b690ae80d5fc24be3a48ee7cff7013666ba45e62bddfba91549ba2843c4ca66105a49047cbd9c0458c5e
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c