Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe
Resource
win10v2004-20241007-en
General
-
Target
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe
-
Size
78KB
-
MD5
8b21473aab7cfe0c66f8c8e13d837390
-
SHA1
44b0d602c5d0e4b7690dba2470bcd411531bfb70
-
SHA256
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45
-
SHA512
cd3707020715400af49fea51325af2b5f318b7cf850626efc9a759dbba5190a367be6e0daa0b62d719e98d15845240d463463898715645ae33014a2d49d7aac6
-
SSDEEP
1536:SCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtdx9/Q1dv:SCHs3xSyRxvY3md+dWWZyj9/c
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 792 tmpC84E.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpC84E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC84E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe Token: SeDebugPrivilege 792 tmpC84E.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2956 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 30 PID 2204 wrote to memory of 2956 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 30 PID 2204 wrote to memory of 2956 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 30 PID 2204 wrote to memory of 2956 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 30 PID 2956 wrote to memory of 272 2956 vbc.exe 33 PID 2956 wrote to memory of 272 2956 vbc.exe 33 PID 2956 wrote to memory of 272 2956 vbc.exe 33 PID 2956 wrote to memory of 272 2956 vbc.exe 33 PID 2204 wrote to memory of 792 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 34 PID 2204 wrote to memory of 792 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 34 PID 2204 wrote to memory of 792 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 34 PID 2204 wrote to memory of 792 2204 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe"C:\Users\Admin\AppData\Local\Temp\af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3t5q6nmq.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC92A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC929.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:272
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC84E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC84E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5e2ed9c8b3edfb679ed96bcddb92f1ded
SHA1ea7350c0902a2535ebfd3e77ba2c38af0e03531e
SHA256c2086e96140f3c8eb13809fc96ef96dcf457ac42c2709091d9fcca9e7fc87ea7
SHA512a3f6d568554a080d61ee6b2b3d9868a2f00c4c5be987ae0d0a82e5fe6117530091e2610099fac830225e532895f2c1833f3bdaf4e64d01791e7ed9af4e0e1628
-
Filesize
266B
MD56e3c4f475d995909ec6f1c05827755bd
SHA1fb7f1ffc7b9d9c77cc00ff9de0595db14a816546
SHA2560b895f3ea44b3d5bb40de32b2ad1d3fd73607ca40e723af33c94b3ac48a370a2
SHA5121a4a4c47eb84a4c32143704173f024747c47230685f80baece9a16000ce260e55ce4df55e5e359449c748c87bfe46b57b6e8310e61ab1402d739527ddcdce761
-
Filesize
1KB
MD5e86126d930d4e706ef80a55a79967cc4
SHA10f2a4739f921e89228db3428a0759e15f4e991b3
SHA2564330a3d588fc00cb4845498d9f2fe0d572f4c3e30b70712033fadf5773751604
SHA5127b21579eb13fff48ea2607118ae169636be6083c6de84f4f6d1f456d9c3ed7431796332322cf354b3a6f0715db372db5962490d713851e89457d3810fc3e0ec2
-
Filesize
78KB
MD5e94062a9d73f545aff4da05cdf12c5c1
SHA114704cb8b6d5dbd65a9af9a497c577337182dea5
SHA2568422e0de2a4184e1f3f643dedab169c8e964975932cce8fa53ccc38345aace0a
SHA512eca625eab2ec29e9579d3f7444a028a1540d575a9ffecb0a028cc5f2eee7910f4b859dbc42d610d9889ff80445a34d3afc908093050b1346c6e1381428a453b5
-
Filesize
660B
MD5bc996b479205fff44c1b4f562e7dcc37
SHA1fd8f487ddf0cca5a826b28054b37a3befa407d42
SHA25636d5dd7eeb08d5cae75d71c8b476f368662208e7ed60ca2f05b788a50a9e1137
SHA5124f12ef3a6ec41bde3d839805a7ad330f458845e06224f35a01aa54d4751db6b301380e70213271a8f674b493032f0bd592e7170c90cc6cf54df1c76b6753dd8d
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107