Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 02:59

General

  • Target

    cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe

  • Size

    78KB

  • MD5

    c50fecd6605ba752a20c774a20cc37e4

  • SHA1

    a9b6162bc193847b01bde02000a95c76211e9d18

  • SHA256

    cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf

  • SHA512

    bf83caad2b50c6f308b24f7c8dce9d5950b79af82fa647d8f6df2a3f4206be13213b606eaec6c983b8f8d2d0281887c9b3a03f7bc36c8f90c0779922d7bb2eb3

  • SSDEEP

    1536:sj584vZv0kH9gDDtWzYCnJPeoYrGQtC6K9/R18G:4584l0Y9MDYrm7y9/7

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
    "C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3vspcpd7.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80A5.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2712
    • C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3vspcpd7.0.vb

    Filesize

    14KB

    MD5

    18bccfedfa0a301dee8c8e3c191edfa5

    SHA1

    b03934e5a50f79490fc848933ef32f25d10dba53

    SHA256

    9c16fa4cd8c47518e739b1d98d8cf497cc26c99ee405469084f1abb8df7be41c

    SHA512

    7b2d60a5d2637450cb478abaafd9f39dc101822159bffe8daae1924c06286969d42ce9d261edc03f4dc756b8ec1d6ae623af67af03a672a7ed603cb2ee832808

  • C:\Users\Admin\AppData\Local\Temp\3vspcpd7.cmdline

    Filesize

    266B

    MD5

    94a33b2e63c128206661f2d80080f80c

    SHA1

    f62acff74b8a2a8dbf5ecb6651fa60ba907fff56

    SHA256

    d5fb1deaf4f83a8a9496ac4e595f580d678837e2a7d54acd7534baa204a99a2e

    SHA512

    977ce2e826baac3bb31a8c294e525e8320a2dff22a1be663484179beea3835ddb330983c0536cda59c69ae3dc74cd0ee9c5aa0435b632dbef040e8ff5035d0c0

  • C:\Users\Admin\AppData\Local\Temp\RES80A6.tmp

    Filesize

    1KB

    MD5

    a4416b07cbaf388f32b2afaf014207ba

    SHA1

    25d961e52b6f8a4642188b81b290d2a99d8e5f13

    SHA256

    193c4cdcdacb5efea375c17670461db9264f1102991de724801c74c30feffa40

    SHA512

    c013a962f96fdd4eff557364bb539cb8414339d43ddff430816f33d6de98fa8dae3fe9b97d3f07c82d31b57c5f85014d95cdeb30a098bedd8cb4103fe3ea3f98

  • C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.exe

    Filesize

    78KB

    MD5

    301d14a451289806c0bd0ddc101b41d0

    SHA1

    44e14ba4dc222272653da528fad15f786fa8c1a8

    SHA256

    468250ea916ef32cb481ce402ca98ead29d1a3accdff734ea56071b407287448

    SHA512

    0e536701375a998df862357b91ffe79ce593f3751a171e7d6a30ef0e16544104e5f46437b9fb2313b442bdf8f8f2176bd821c04a2393687e2e637948d8683ba8

  • C:\Users\Admin\AppData\Local\Temp\vbc80A5.tmp

    Filesize

    660B

    MD5

    bac95dc3271d78f2185a613e99eb53a6

    SHA1

    1efb7bba5e01e8a4aec3b136fc3c8617341e4b10

    SHA256

    dc6e07218d0de22acfafb0d542cdf6d8ac72887e316e97065fe6310ab01705d0

    SHA512

    0e5d5dd93b10c515af6e02a6d8d14ad561236a925e7f0b30258bd377e9ce6be7186e26d9faa07e9e96d38cabd14a023f24c36e9b06db02cb483142275e2a5017

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/1956-8-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB

  • memory/1956-18-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

    Filesize

    4KB

  • memory/2312-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-24-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB