Analysis
-
max time kernel
119s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
Resource
win10v2004-20241007-en
General
-
Target
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
-
Size
78KB
-
MD5
5e89b0338575ddd2be5c11790cef6610
-
SHA1
f0e5e9cbda347a1e7e30c4af945c3bc72c96d286
-
SHA256
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596
-
SHA512
e5754a544c49b7441975c98bb1119a31fb531638d3307a438e882486e47534ba6d0bdf19ffe7b1ebd8cf7bd0bfe9451dafd705d030bbf52f6ef4c9daf5a1ba20
-
SSDEEP
1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zg:sWV58BJywQjDgTLopLwdCFJzF9/2J
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2660 tmpA67C.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA67C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2124 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 30 PID 1504 wrote to memory of 2124 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 30 PID 1504 wrote to memory of 2124 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 30 PID 1504 wrote to memory of 2124 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 30 PID 2124 wrote to memory of 892 2124 vbc.exe 32 PID 2124 wrote to memory of 892 2124 vbc.exe 32 PID 2124 wrote to memory of 892 2124 vbc.exe 32 PID 2124 wrote to memory of 892 2124 vbc.exe 32 PID 1504 wrote to memory of 2660 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 33 PID 1504 wrote to memory of 2660 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 33 PID 1504 wrote to memory of 2660 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 33 PID 1504 wrote to memory of 2660 1504 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe"C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iddqiuok.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8DD.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:892
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cabd22d90d29541c7cecfb7e35e7811e
SHA1763528fe00615cd739f1db6a02f2922f43aff900
SHA256efe07c8affd108901a69fb9370d525f369f069e26c6ccfc56320277769f7aa4b
SHA51231d905ed1653d52468caa7bc6c56041553009fdfe2888afdda7c7887b9496e06eb46a2a1c3570124108a26b2c5ed822b9369275f5d13c3be115e077162ad7cdd
-
Filesize
14KB
MD583c7b85d1fb360bbfc752913f36e7f10
SHA1e34696f41d3ca9b59a314b7454300baa017d264b
SHA256e34843e6b56041c7ceba19e0247f0322e3b29460fe4b663d37fb10dee10ebf06
SHA512ad46d4f2b39d3957463ed9d79a0d12406b65a00067355184cdc975d8594429e196caaff565faafcacd937bbd22146a37502529266d95af412b0dd69b36a383dc
-
Filesize
266B
MD524e10adf5eba5886a4f327b4179c3d75
SHA166c146b580ae26c7806c3cb405a38f63c912ff4b
SHA256d7c67ae2d6d42b01e235e445092b78fab8e2bc6cf92c906eb4b251c52904f148
SHA5120556c7cfef85bc0ef5d22ca468a91408ddb9ec790b557fbc2dd710f495c8393d6abc6796e1c35b1bfd162c46f455d38f348138389aa505eb5f63b4bbf88b915a
-
Filesize
78KB
MD5fbdfb49070178eeb187c6b1f9c1adc1b
SHA11db1a076e3c71c08b5081a69d5796fa2de4d790d
SHA25639bdf08732492af5a90d7ec510bb31543cbd2c22921dd13010bf6318f076c65a
SHA5129e1e2fadf151681a85537c1da2b35dddb57dc09b693ae7d62fb9f284cc3247a66a05f3dfd1e26a1d7f1b1fc468c6597bd4c96789d8c8dfd6f4c0385793e7dcb2
-
Filesize
660B
MD5642816291396ad5ea64a491396a3aa18
SHA122ad78f38e2deecc0ffe1aa327e11e29232af980
SHA2561beaf211601aebbaa852442fa2231c7611c6943f83f08f7bb60f5c6ed4449fd7
SHA51298ebbcaff1456094341a10febdeac639536cda42d738d328df4d0b70a2bfee474cb4b468cc8cc41fba7b23854d88d309d9beb308997643f240c1ca04ebf18fc4
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7