Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 02:23

General

  • Target

    cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe

  • Size

    78KB

  • MD5

    634ce1212e84df52a4b15a04be713d34

  • SHA1

    f6134013ad864ae9d0b65023f1cc34c28856e3be

  • SHA256

    cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8

  • SHA512

    00d8c49d4a01ccd0543fa0df9866e357a1e680a4074c5a028c9c395d0ba400ca029ac420ab4231731b0f73c095a9288c20a16405551f51786fb7878f60911483

  • SSDEEP

    1536:LtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt869/C1HdZ:LtHYnhASyRxvhTzXPvCbW2U869/eZ

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
    "C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_z3agzf.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1C7.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188
    • C:\Users\Admin\AppData\Local\Temp\tmpE08F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE08F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE1C8.tmp

    Filesize

    1KB

    MD5

    ab6235048fba0e882ed631ce2ab79cee

    SHA1

    8b874c6d26bd51bb701cf16022a81ed318677c4d

    SHA256

    3f167d5f87d28904ba45ffe3940d9560c39fc7767348390914e0254f37e8138d

    SHA512

    38b095263375fb7e6cd49af90c1439a777eafed2a4e9c8ee03d5cbfd1ade01e6c39dc6444c2d32b86e6b1591abc115d2854ad2e9f759fd50f33caa20c8b30c1d

  • C:\Users\Admin\AppData\Local\Temp\tmpE08F.tmp.exe

    Filesize

    78KB

    MD5

    954869379afb062543135ab630b5b38e

    SHA1

    001c5c45d57d2820ba1b94f6258825c76c6da0a8

    SHA256

    cea9d109ca1f47150823cb87fd23056b9113a4a88ae8e9158224dc01c67b51c5

    SHA512

    b527cdc8f338a14eb791f0bc24869beee61f82a61f37d0d0488af432f2c2a14d4030a1f9a207dfe101b9d38245298679cd1742f682f803878dd846d54e4b7467

  • C:\Users\Admin\AppData\Local\Temp\u_z3agzf.0.vb

    Filesize

    15KB

    MD5

    8ecca413ba22ffcbf3c7d8d6b09c88c8

    SHA1

    252032fd6385f428590b968d000b961c7d7e1049

    SHA256

    1e5f692a9b877656fc68f7684620ba640de6105b0492ca29eafb281f770d6ac6

    SHA512

    fe3b55f9c63137a7f8f04d7b52425e8e048a5bee34052609a263c5739e1e89c001e459b41794cbfbdd7aa27f880d89afedc1867597ae0de38a3005eda1ead16b

  • C:\Users\Admin\AppData\Local\Temp\u_z3agzf.cmdline

    Filesize

    266B

    MD5

    82b44cc7c4792e8389263713f1d7742c

    SHA1

    126fdc2f2526fde30fb47e524273b0fc002f43a5

    SHA256

    f0ae9ac4eae3c6e6e534928c009cc7c4a8136a37b8a6d0c5ac1efc1afa8d20d9

    SHA512

    ec257f11de86bffce1223a4e6284d6fba6bde65c5fdcf3df1e1b531d465712e92eb553f7ba1c2ce1af5bb86fcf74224750b470eeb4b5f2d7dc4263c919138de6

  • C:\Users\Admin\AppData\Local\Temp\vbcE1C7.tmp

    Filesize

    660B

    MD5

    ea3fbe5ceaff26489058892d6c3c8af6

    SHA1

    381842d36cda765447864507ec4a40671cb334a0

    SHA256

    1db9de90cc03d969b60fb70d6c9d400b6441c9f82d591b3e6146f4cb42ad6e43

    SHA512

    2d43c19406e3579a8be3d1f49e6d3e0ce8c982f3fb2dccd58532d0f9d168c1bd31b1ca497c891598d6b2e90040766c9ea69f51784201eb315172a24caf21d0d5

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1256-8-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/1256-18-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2084-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

    Filesize

    4KB

  • memory/2084-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2084-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB

  • memory/2084-24-0x0000000074DA0000-0x000000007534B000-memory.dmp

    Filesize

    5.7MB