Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
Resource
win10v2004-20241007-en
General
-
Target
cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
-
Size
78KB
-
MD5
634ce1212e84df52a4b15a04be713d34
-
SHA1
f6134013ad864ae9d0b65023f1cc34c28856e3be
-
SHA256
cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8
-
SHA512
00d8c49d4a01ccd0543fa0df9866e357a1e680a4074c5a028c9c395d0ba400ca029ac420ab4231731b0f73c095a9288c20a16405551f51786fb7878f60911483
-
SSDEEP
1536:LtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt869/C1HdZ:LtHYnhASyRxvhTzXPvCbW2U869/eZ
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1368 tmpE08F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpE08F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE08F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe Token: SeDebugPrivilege 1368 tmpE08F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1256 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 31 PID 2084 wrote to memory of 1256 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 31 PID 2084 wrote to memory of 1256 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 31 PID 2084 wrote to memory of 1256 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 31 PID 1256 wrote to memory of 2188 1256 vbc.exe 33 PID 1256 wrote to memory of 2188 1256 vbc.exe 33 PID 1256 wrote to memory of 2188 1256 vbc.exe 33 PID 1256 wrote to memory of 2188 1256 vbc.exe 33 PID 2084 wrote to memory of 1368 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 34 PID 2084 wrote to memory of 1368 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 34 PID 2084 wrote to memory of 1368 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 34 PID 2084 wrote to memory of 1368 2084 cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe"C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_z3agzf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1C7.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE08F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE08F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ab6235048fba0e882ed631ce2ab79cee
SHA18b874c6d26bd51bb701cf16022a81ed318677c4d
SHA2563f167d5f87d28904ba45ffe3940d9560c39fc7767348390914e0254f37e8138d
SHA51238b095263375fb7e6cd49af90c1439a777eafed2a4e9c8ee03d5cbfd1ade01e6c39dc6444c2d32b86e6b1591abc115d2854ad2e9f759fd50f33caa20c8b30c1d
-
Filesize
78KB
MD5954869379afb062543135ab630b5b38e
SHA1001c5c45d57d2820ba1b94f6258825c76c6da0a8
SHA256cea9d109ca1f47150823cb87fd23056b9113a4a88ae8e9158224dc01c67b51c5
SHA512b527cdc8f338a14eb791f0bc24869beee61f82a61f37d0d0488af432f2c2a14d4030a1f9a207dfe101b9d38245298679cd1742f682f803878dd846d54e4b7467
-
Filesize
15KB
MD58ecca413ba22ffcbf3c7d8d6b09c88c8
SHA1252032fd6385f428590b968d000b961c7d7e1049
SHA2561e5f692a9b877656fc68f7684620ba640de6105b0492ca29eafb281f770d6ac6
SHA512fe3b55f9c63137a7f8f04d7b52425e8e048a5bee34052609a263c5739e1e89c001e459b41794cbfbdd7aa27f880d89afedc1867597ae0de38a3005eda1ead16b
-
Filesize
266B
MD582b44cc7c4792e8389263713f1d7742c
SHA1126fdc2f2526fde30fb47e524273b0fc002f43a5
SHA256f0ae9ac4eae3c6e6e534928c009cc7c4a8136a37b8a6d0c5ac1efc1afa8d20d9
SHA512ec257f11de86bffce1223a4e6284d6fba6bde65c5fdcf3df1e1b531d465712e92eb553f7ba1c2ce1af5bb86fcf74224750b470eeb4b5f2d7dc4263c919138de6
-
Filesize
660B
MD5ea3fbe5ceaff26489058892d6c3c8af6
SHA1381842d36cda765447864507ec4a40671cb334a0
SHA2561db9de90cc03d969b60fb70d6c9d400b6441c9f82d591b3e6146f4cb42ad6e43
SHA5122d43c19406e3579a8be3d1f49e6d3e0ce8c982f3fb2dccd58532d0f9d168c1bd31b1ca497c891598d6b2e90040766c9ea69f51784201eb315172a24caf21d0d5
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c