Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
Resource
win10v2004-20241007-en
General
-
Target
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
-
Size
78KB
-
MD5
c50fecd6605ba752a20c774a20cc37e4
-
SHA1
a9b6162bc193847b01bde02000a95c76211e9d18
-
SHA256
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf
-
SHA512
bf83caad2b50c6f308b24f7c8dce9d5950b79af82fa647d8f6df2a3f4206be13213b606eaec6c983b8f8d2d0281887c9b3a03f7bc36c8f90c0779922d7bb2eb3
-
SSDEEP
1536:sj584vZv0kH9gDDtWzYCnJPeoYrGQtC6K9/R18G:4584l0Y9MDYrm7y9/7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2900 tmp8009.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp8009.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8009.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe Token: SeDebugPrivilege 2900 tmp8009.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1956 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 2312 wrote to memory of 1956 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 2312 wrote to memory of 1956 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 2312 wrote to memory of 1956 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 1956 wrote to memory of 2712 1956 vbc.exe 32 PID 1956 wrote to memory of 2712 1956 vbc.exe 32 PID 1956 wrote to memory of 2712 1956 vbc.exe 32 PID 1956 wrote to memory of 2712 1956 vbc.exe 32 PID 2312 wrote to memory of 2900 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33 PID 2312 wrote to memory of 2900 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33 PID 2312 wrote to memory of 2900 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33 PID 2312 wrote to memory of 2900 2312 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3vspcpd7.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80A5.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD518bccfedfa0a301dee8c8e3c191edfa5
SHA1b03934e5a50f79490fc848933ef32f25d10dba53
SHA2569c16fa4cd8c47518e739b1d98d8cf497cc26c99ee405469084f1abb8df7be41c
SHA5127b2d60a5d2637450cb478abaafd9f39dc101822159bffe8daae1924c06286969d42ce9d261edc03f4dc756b8ec1d6ae623af67af03a672a7ed603cb2ee832808
-
Filesize
266B
MD594a33b2e63c128206661f2d80080f80c
SHA1f62acff74b8a2a8dbf5ecb6651fa60ba907fff56
SHA256d5fb1deaf4f83a8a9496ac4e595f580d678837e2a7d54acd7534baa204a99a2e
SHA512977ce2e826baac3bb31a8c294e525e8320a2dff22a1be663484179beea3835ddb330983c0536cda59c69ae3dc74cd0ee9c5aa0435b632dbef040e8ff5035d0c0
-
Filesize
1KB
MD5a4416b07cbaf388f32b2afaf014207ba
SHA125d961e52b6f8a4642188b81b290d2a99d8e5f13
SHA256193c4cdcdacb5efea375c17670461db9264f1102991de724801c74c30feffa40
SHA512c013a962f96fdd4eff557364bb539cb8414339d43ddff430816f33d6de98fa8dae3fe9b97d3f07c82d31b57c5f85014d95cdeb30a098bedd8cb4103fe3ea3f98
-
Filesize
78KB
MD5301d14a451289806c0bd0ddc101b41d0
SHA144e14ba4dc222272653da528fad15f786fa8c1a8
SHA256468250ea916ef32cb481ce402ca98ead29d1a3accdff734ea56071b407287448
SHA5120e536701375a998df862357b91ffe79ce593f3751a171e7d6a30ef0e16544104e5f46437b9fb2313b442bdf8f8f2176bd821c04a2393687e2e637948d8683ba8
-
Filesize
660B
MD5bac95dc3271d78f2185a613e99eb53a6
SHA11efb7bba5e01e8a4aec3b136fc3c8617341e4b10
SHA256dc6e07218d0de22acfafb0d542cdf6d8ac72887e316e97065fe6310ab01705d0
SHA5120e5d5dd93b10c515af6e02a6d8d14ad561236a925e7f0b30258bd377e9ce6be7186e26d9faa07e9e96d38cabd14a023f24c36e9b06db02cb483142275e2a5017
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d