Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 08:42
Static task
static1
Behavioral task
behavioral1
Sample
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe
Resource
win10v2004-20241007-en
General
-
Target
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe
-
Size
78KB
-
MD5
c2c5d0ef549670f2df92a41b047e8bdf
-
SHA1
10775205638556dc83fcc2e0f8b272099a67d13d
-
SHA256
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943
-
SHA512
cef24ed209d0ea122130f9fdf526659485fadb0621ef077486356ddef8a0588b923def50cbe9f0f0fe1166a496a3e4953b886f962c98e1e807728257303163f5
-
SSDEEP
1536:OPWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtS9/K1+mO:OPWtHFon3xSyRxvY3md+dWWZyS9/yO
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2240 tmp8BBC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp8BBC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8BBC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe Token: SeDebugPrivilege 2240 tmp8BBC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2088 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 30 PID 2108 wrote to memory of 2088 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 30 PID 2108 wrote to memory of 2088 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 30 PID 2108 wrote to memory of 2088 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 30 PID 2088 wrote to memory of 1800 2088 vbc.exe 32 PID 2088 wrote to memory of 1800 2088 vbc.exe 32 PID 2088 wrote to memory of 1800 2088 vbc.exe 32 PID 2088 wrote to memory of 1800 2088 vbc.exe 32 PID 2108 wrote to memory of 2240 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 33 PID 2108 wrote to memory of 2240 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 33 PID 2108 wrote to memory of 2240 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 33 PID 2108 wrote to memory of 2240 2108 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe"C:\Users\Admin\AppData\Local\Temp\d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dcned7bp.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D13.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8BBC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8BBC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD583ad3909a4c232344f4d90fca0df7e1a
SHA1c799790e229362ccafae16f5689bb5cf3f0ca39c
SHA256699822a6776aeab846f124cca78f3111e9bf180603c356ede9e769c82875d76c
SHA512aadb82d5e19d11d6258e91f54d4af731da1dfa0d0836b5c6bcfc4dce4eda822136554b33a08975753483db43bd52ec8115abc85c6e835c51e1533f6c9663887d
-
Filesize
15KB
MD56d2560108e78a2f0fe11da1ec57fb260
SHA1ba0e895fc0a803a38f90fbffdc23cbb194de5442
SHA256f7d7cd507d3ea971ed6025974ddc155e71d0a30695acc0000aee27ea73b49481
SHA51275bb3a5238b175de2b1c2b809f742eea1533b9220f06125f30d1ca445a9a0b922b00d73661978a5116df5e512618da6e427924c1fb325739f6abd889c1acbf86
-
Filesize
266B
MD5f2963232cd0c18ce1d536efc624c0fa0
SHA18011b738bc891db659e0a997eba91535bce76828
SHA256a3c34c5a7edefa4cdeff411e7aff825cf7476f92bc2443392b9bf81b70204a12
SHA512e45903ee6cc54f3ca3aa0656fa57812a62ad75dfb32fcbfdd3ade4336845f1a73df2f48a18792cbd1924c1a275a77e7ae6529980bcef2914d9d22abc4880e4b4
-
Filesize
78KB
MD54a720598ce62f6865e48cfd360432794
SHA10445521da28cd63be759f861440bdce69c7955d2
SHA25629fb59d5dbda59f159a5ce93a94e1b7d57a1b486fe646b482f34362d65930559
SHA512d0f2483dd62227e3d50d1fd0b94249d76caa9ad6c2040c447a10440b470e43756a796707e8be16866bb9f01c64f169f90c4b013e94e508fe2d534cf7949c0fab
-
Filesize
660B
MD59ad6d471514c6b10994af82c147f7e2b
SHA122804230746d7cf4960ae8892ce264ea850ab0f2
SHA256bd1ba0cf809d6990beff1455be8558bfc3ef16b25c0ac43f3639e352f728c655
SHA5124d02229b21c1445c0d0237b9642aa7c2374d90bf54b3276bc3bd816edd0ce982bf7f5a019df7eb6a907e20e8e974feab6b7f17072646ec675b52b3f440ed4e9c
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107