Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
Resource
win10v2004-20241007-en
General
-
Target
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
-
Size
78KB
-
MD5
7afe3e8926bce1c2bc8a5b17ab2694a4
-
SHA1
71e7cb335cbf7285da9153aaa019417522240c75
-
SHA256
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc
-
SHA512
c52202fed5e14f32745fa2a21d3f4a480347203dc4dc10dc47d03874d5a27ddc4e74a5cc997cc7723588b5461bdb499768b9eefc96102491e4a42564a146b448
-
SSDEEP
1536:CsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkB9//1CYE:CsH/3DJywQjDgTLopLwdCFJzkB9/dE
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2276 tmpD74C.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD74C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 784 wrote to memory of 592 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 31 PID 784 wrote to memory of 592 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 31 PID 784 wrote to memory of 592 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 31 PID 784 wrote to memory of 592 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 31 PID 592 wrote to memory of 2144 592 vbc.exe 33 PID 592 wrote to memory of 2144 592 vbc.exe 33 PID 592 wrote to memory of 2144 592 vbc.exe 33 PID 592 wrote to memory of 2144 592 vbc.exe 33 PID 784 wrote to memory of 2276 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 34 PID 784 wrote to memory of 2276 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 34 PID 784 wrote to memory of 2276 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 34 PID 784 wrote to memory of 2276 784 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyvyy4_w.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD808.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD807.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD74C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57499072a9b4ecbf3a3d14a65866c1681
SHA17061212e831e87de7c56ef23d0671a5a2dddc7c5
SHA256973777b3064441b0396d2970564fdf4ddedf900dd4c88befa4b21d0d26db33f8
SHA512b1c6763d282fd30dca0958a7a2ba5034d9166bee8aee6e7249eaedad77e0fba64ce46e13245f063aef0acdc12cdec0893415cad7ad67caa9ac67e3ee0377ec33
-
Filesize
15KB
MD5546674f3ce4506ed7e905e373413cf9c
SHA188b5f8da98339fde803e4b62131d98bca4b6d325
SHA256e7683df0a546c4456905354b52cccde58b63fc7f0ba46921727f90cd5cfe8c68
SHA5126496537c61571e04d3927a886e21fa004606580fca901edeb0bea2faa4c6bab19b1f5dec2e3f32e3c95790f0ef6fd398f4e0ea3c9ddd7ce43d48a7429c250f20
-
Filesize
266B
MD5e3f19ecca8bb0d00700a7b575c08cb31
SHA10ce48b9c391875944bed1cb1d3f5a9bc0c862cb8
SHA256a506efe0a5163a50cdbbdacdb2900e842525aa374ee3d12982130e137c92509b
SHA512d4e258624fc8d5d6fbf972c5230c83cf97831951e0cc7e5575f5480c8d4b3ad146c404407aba064b2ea35571067be3ca8bf9a35b2c9cd74f449815de7daf4469
-
Filesize
78KB
MD519507b98ebf3e65799afe4b9656c5984
SHA13916402ce635f5ed28c54d7edbdee9c10b73f818
SHA25666aec3b3c838eb226339d2e050ff3ff26b489b622e186681a8e0b3b3bca2dbbc
SHA512f5467402d15cdccf5ce0c29ff8e97913b694bcb69ff719d65567d70e3f4e7570ed30f8d3d331efb09406e56c0704ddd0dd3a3a034f6d3d668613a9fb3d03fc3a
-
Filesize
660B
MD5aa70120b2fcec86012a2b1f370d34ece
SHA157b502516769f2fff9bdde6056e7b34c981f727a
SHA256f07afaab3b81bec873b223d3c213339f53b10f9a228a61233f1fc48f9884bcd8
SHA512e15cacbeed932cc9f232e5bce0eca37645b29c11d7b77f21b57cd1558558e012b5381b8528174f74598f0340a4fddab5fd7f6c4cb822eb89cbcc7930356b0d35
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7