Analysis

  • max time kernel
    119s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 07:38

General

  • Target

    96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe

  • Size

    78KB

  • MD5

    5e89b0338575ddd2be5c11790cef6610

  • SHA1

    f0e5e9cbda347a1e7e30c4af945c3bc72c96d286

  • SHA256

    96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596

  • SHA512

    e5754a544c49b7441975c98bb1119a31fb531638d3307a438e882486e47534ba6d0bdf19ffe7b1ebd8cf7bd0bfe9451dafd705d030bbf52f6ef4c9daf5a1ba20

  • SSDEEP

    1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zg:sWV58BJywQjDgTLopLwdCFJzF9/2J

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
    "C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iddqiuok.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8DD.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:892
    • C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA8DE.tmp

    Filesize

    1KB

    MD5

    cabd22d90d29541c7cecfb7e35e7811e

    SHA1

    763528fe00615cd739f1db6a02f2922f43aff900

    SHA256

    efe07c8affd108901a69fb9370d525f369f069e26c6ccfc56320277769f7aa4b

    SHA512

    31d905ed1653d52468caa7bc6c56041553009fdfe2888afdda7c7887b9496e06eb46a2a1c3570124108a26b2c5ed822b9369275f5d13c3be115e077162ad7cdd

  • C:\Users\Admin\AppData\Local\Temp\iddqiuok.0.vb

    Filesize

    14KB

    MD5

    83c7b85d1fb360bbfc752913f36e7f10

    SHA1

    e34696f41d3ca9b59a314b7454300baa017d264b

    SHA256

    e34843e6b56041c7ceba19e0247f0322e3b29460fe4b663d37fb10dee10ebf06

    SHA512

    ad46d4f2b39d3957463ed9d79a0d12406b65a00067355184cdc975d8594429e196caaff565faafcacd937bbd22146a37502529266d95af412b0dd69b36a383dc

  • C:\Users\Admin\AppData\Local\Temp\iddqiuok.cmdline

    Filesize

    266B

    MD5

    24e10adf5eba5886a4f327b4179c3d75

    SHA1

    66c146b580ae26c7806c3cb405a38f63c912ff4b

    SHA256

    d7c67ae2d6d42b01e235e445092b78fab8e2bc6cf92c906eb4b251c52904f148

    SHA512

    0556c7cfef85bc0ef5d22ca468a91408ddb9ec790b557fbc2dd710f495c8393d6abc6796e1c35b1bfd162c46f455d38f348138389aa505eb5f63b4bbf88b915a

  • C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp.exe

    Filesize

    78KB

    MD5

    fbdfb49070178eeb187c6b1f9c1adc1b

    SHA1

    1db1a076e3c71c08b5081a69d5796fa2de4d790d

    SHA256

    39bdf08732492af5a90d7ec510bb31543cbd2c22921dd13010bf6318f076c65a

    SHA512

    9e1e2fadf151681a85537c1da2b35dddb57dc09b693ae7d62fb9f284cc3247a66a05f3dfd1e26a1d7f1b1fc468c6597bd4c96789d8c8dfd6f4c0385793e7dcb2

  • C:\Users\Admin\AppData\Local\Temp\vbcA8DD.tmp

    Filesize

    660B

    MD5

    642816291396ad5ea64a491396a3aa18

    SHA1

    22ad78f38e2deecc0ffe1aa327e11e29232af980

    SHA256

    1beaf211601aebbaa852442fa2231c7611c6943f83f08f7bb60f5c6ed4449fd7

    SHA512

    98ebbcaff1456094341a10febdeac639536cda42d738d328df4d0b70a2bfee474cb4b468cc8cc41fba7b23854d88d309d9beb308997643f240c1ca04ebf18fc4

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/1504-0-0x0000000074011000-0x0000000074012000-memory.dmp

    Filesize

    4KB

  • memory/1504-1-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1504-3-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1504-24-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2124-8-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2124-18-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB