Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe
Resource
win10v2004-20241007-en
General
-
Target
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe
-
Size
78KB
-
MD5
3584d349a83e79620e77fbb65ac995e0
-
SHA1
066e6a2d4e7cf22c557fa0a7544cd958e7da69a2
-
SHA256
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbc
-
SHA512
cb483d653e7d809e5123d4f4cdcdc66534d788ee390877bc6a7b3b7388d9b74be6e15b25997c93c3d602a8181bb39fd668e73ba0cf5103bce8bcaa7fa9c5479d
-
SSDEEP
1536:We5hXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6g9/F1hn:We5hSyRxvY3md+dWWZyP9/J
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2744 tmpD105.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpD105.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD105.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe Token: SeDebugPrivilege 2744 tmpD105.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2244 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 31 PID 2132 wrote to memory of 2244 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 31 PID 2132 wrote to memory of 2244 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 31 PID 2132 wrote to memory of 2244 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 31 PID 2244 wrote to memory of 372 2244 vbc.exe 33 PID 2244 wrote to memory of 372 2244 vbc.exe 33 PID 2244 wrote to memory of 372 2244 vbc.exe 33 PID 2244 wrote to memory of 372 2244 vbc.exe 33 PID 2132 wrote to memory of 2744 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 34 PID 2132 wrote to memory of 2744 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 34 PID 2132 wrote to memory of 2744 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 34 PID 2132 wrote to memory of 2744 2132 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe"C:\Users\Admin\AppData\Local\Temp\dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\crvytvzi.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2D9.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:372
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD105.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD105.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b738bf643384ad6f16443811a94185bf
SHA18c7471efb55087a6fb6ff6cae60c9d2984f6a21b
SHA2568f56205c285e557dfb98d3cf69385c35310078a047c7be8145326093944af13f
SHA512f7ce48ea39700125b1c69cabeccf5c49a19a3290e1d715785872f2b7f71e1b1ad94cd7c21885f066bc7c9724707e8e35f8a863e5aca8f75590f2e24ef4bc0f4b
-
Filesize
14KB
MD594f39efe9c6a564f6d62b9638941416a
SHA1220ef743aab0a6ca52fc7f7827c9c4d2c8cfee9e
SHA256082a18f09b134a58b8e3144ea5e88b1b17bc948765f9cacd3dc177dbee0ccb80
SHA512cff91ff5b32c091c68d58fe91de64237d8e15240446633f9953e7e76a328ca975ce7cfd1c6111526cf4edf3021c9870ae9a235291db1e76b295c00c0be2dd4a7
-
Filesize
266B
MD52caf027163bf55e42d169c1457328d2b
SHA18dde8bd8808244497e3bc09401912f0982939ae3
SHA2562295534e77cb34507ba45c487025e98b845e9e9a0a31d7863ca68cf3ada91068
SHA512e7acdbb60ff758f0ee8e8b56954bff50b863ef2b4fbff36e24308203cd4a594e7e09fe3b7057f5e27f4e57711bc2231584955d51592a213f0275b6b76d2d8afd
-
Filesize
78KB
MD545a26ea4736269958e1301a0398e740e
SHA1c7cecf5b62495c46dcf4b5c64777c33f2c648e2c
SHA256ecc59765fe37a94589495aabf874d38ccc918d0ae8bb846e1ea7eeb4a2b478e1
SHA5122697f8d5d65042ce955124f7dac229eab1db6aeb1c09b84fcaefa4eef68c84efb1b86525afd0e5822fe88c1ca81dda873ad6993af29de4923120148375fe19f1
-
Filesize
660B
MD5943682653e3a7c50b7932f3331f5b626
SHA1ef66ee7bbc622861735bd2720db692a58ab514de
SHA2567ec89da3b198d4a1ab03d40d7a1a0dfeafba96445ecfd1e44417b7cf082d53a2
SHA512e2aba672f1317b0308891f080bc92a005a3ca81aac9b108c550aadb6be0ec4d6892665581caf8ca047223f3bf8c3cd8a526406f5ba2941655a65d043e4d73565
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107