Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 06:45

General

  • Target

    d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe

  • Size

    78KB

  • MD5

    7afe3e8926bce1c2bc8a5b17ab2694a4

  • SHA1

    71e7cb335cbf7285da9153aaa019417522240c75

  • SHA256

    d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc

  • SHA512

    c52202fed5e14f32745fa2a21d3f4a480347203dc4dc10dc47d03874d5a27ddc4e74a5cc997cc7723588b5461bdb499768b9eefc96102491e4a42564a146b448

  • SSDEEP

    1536:CsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkB9//1CYE:CsH/3DJywQjDgTLopLwdCFJzkB9/dE

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
    "C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyvyy4_w.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD808.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD807.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2144
    • C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD808.tmp

    Filesize

    1KB

    MD5

    7499072a9b4ecbf3a3d14a65866c1681

    SHA1

    7061212e831e87de7c56ef23d0671a5a2dddc7c5

    SHA256

    973777b3064441b0396d2970564fdf4ddedf900dd4c88befa4b21d0d26db33f8

    SHA512

    b1c6763d282fd30dca0958a7a2ba5034d9166bee8aee6e7249eaedad77e0fba64ce46e13245f063aef0acdc12cdec0893415cad7ad67caa9ac67e3ee0377ec33

  • C:\Users\Admin\AppData\Local\Temp\lyvyy4_w.0.vb

    Filesize

    15KB

    MD5

    546674f3ce4506ed7e905e373413cf9c

    SHA1

    88b5f8da98339fde803e4b62131d98bca4b6d325

    SHA256

    e7683df0a546c4456905354b52cccde58b63fc7f0ba46921727f90cd5cfe8c68

    SHA512

    6496537c61571e04d3927a886e21fa004606580fca901edeb0bea2faa4c6bab19b1f5dec2e3f32e3c95790f0ef6fd398f4e0ea3c9ddd7ce43d48a7429c250f20

  • C:\Users\Admin\AppData\Local\Temp\lyvyy4_w.cmdline

    Filesize

    266B

    MD5

    e3f19ecca8bb0d00700a7b575c08cb31

    SHA1

    0ce48b9c391875944bed1cb1d3f5a9bc0c862cb8

    SHA256

    a506efe0a5163a50cdbbdacdb2900e842525aa374ee3d12982130e137c92509b

    SHA512

    d4e258624fc8d5d6fbf972c5230c83cf97831951e0cc7e5575f5480c8d4b3ad146c404407aba064b2ea35571067be3ca8bf9a35b2c9cd74f449815de7daf4469

  • C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.exe

    Filesize

    78KB

    MD5

    19507b98ebf3e65799afe4b9656c5984

    SHA1

    3916402ce635f5ed28c54d7edbdee9c10b73f818

    SHA256

    66aec3b3c838eb226339d2e050ff3ff26b489b622e186681a8e0b3b3bca2dbbc

    SHA512

    f5467402d15cdccf5ce0c29ff8e97913b694bcb69ff719d65567d70e3f4e7570ed30f8d3d331efb09406e56c0704ddd0dd3a3a034f6d3d668613a9fb3d03fc3a

  • C:\Users\Admin\AppData\Local\Temp\vbcD807.tmp

    Filesize

    660B

    MD5

    aa70120b2fcec86012a2b1f370d34ece

    SHA1

    57b502516769f2fff9bdde6056e7b34c981f727a

    SHA256

    f07afaab3b81bec873b223d3c213339f53b10f9a228a61233f1fc48f9884bcd8

    SHA512

    e15cacbeed932cc9f232e5bce0eca37645b29c11d7b77f21b57cd1558558e012b5381b8528174f74598f0340a4fddab5fd7f6c4cb822eb89cbcc7930356b0d35

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/592-8-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/592-18-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/784-0-0x0000000074071000-0x0000000074072000-memory.dmp

    Filesize

    4KB

  • memory/784-1-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/784-2-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/784-24-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB