Analysis
-
max time kernel
71s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 20:16
Static task
static1
Behavioral task
behavioral1
Sample
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe
Resource
win10v2004-20241007-en
General
-
Target
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe
-
Size
78KB
-
MD5
8f0f177e2be050abd297777be9905860
-
SHA1
761debb211dd85f9743bcb0d6e3db7568f51e241
-
SHA256
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2
-
SHA512
be23c669011144a8e9fea0282cd39f64e7e4ab0cb4a6751cff32f7b57966f456a5e717807f45f1b306f118a01f26e587ae68eadc8fb3d429e92493d6a9de71b1
-
SSDEEP
1536:ctHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti9/411q4:ctHFbdSE2EwR4uY41HyvYi9/u
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1268 tmpAEC6.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpAEC6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAEC6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe Token: SeDebugPrivilege 1268 tmpAEC6.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2096 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 30 PID 2644 wrote to memory of 2096 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 30 PID 2644 wrote to memory of 2096 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 30 PID 2644 wrote to memory of 2096 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 30 PID 2096 wrote to memory of 2572 2096 vbc.exe 32 PID 2096 wrote to memory of 2572 2096 vbc.exe 32 PID 2096 wrote to memory of 2572 2096 vbc.exe 32 PID 2096 wrote to memory of 2572 2096 vbc.exe 32 PID 2644 wrote to memory of 1268 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 33 PID 2644 wrote to memory of 1268 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 33 PID 2644 wrote to memory of 1268 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 33 PID 2644 wrote to memory of 1268 2644 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe"C:\Users\Admin\AppData\Local\Temp\cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f11utgmc.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0A9.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAEC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAEC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1c91104fd1eaf129e52f05294bf06ad
SHA1e3a258411eb0bb3142614e060ba9ddfd6c9e1e79
SHA256f3e81f6768cb95d6ea7d0fee03cfdbff7560fa654ddbb42eca3b78ae78db7b4b
SHA512e6cfbd55d8c06fb61da69f179ef7ddd025eb4d2dfb73e3326d6485e51127df4b3a326f2ea1747eea1d4bb456dfb1ea63f83dfe4a034313a9418d4e55443f8712
-
Filesize
15KB
MD515a48a9a0597ddca0d85537cca4bc2dc
SHA11af618956ee5611bbc3a11936bd7a6b30d090b53
SHA2564202a82b4cc9230badc55e62c888fcb230cea1aa11254e34c35c45755bce3894
SHA512093b62e0cfa49c1077c69c01d103c1042f77fa96e25591efca9cfebbb383af4a0565b2b71c5ed75bc45c108a90acc62edd326a36f16d5956ff99d6b5f0892808
-
Filesize
266B
MD5292a254d8563dd0bafd60bd01aa00ce7
SHA1fd7a49c376ffea735c94c1c15c3496b8c2b06a45
SHA25689579c3397a95bde63639a22d5d5824eb1fcb1980192a2534d8adc642610d105
SHA512f8f4676c32cf976d91b0dcdcb2fdebf435b3d880998ac6918f2c9436d2fbb0dd6955eefaa2fa87ada3f0c70e1c869336a90714785f86de8c155e4ecffb7faaec
-
Filesize
78KB
MD56c4ad2abdcb366f9221123956394b941
SHA1e6b901530028f29b2500431c70e3e74f4de25054
SHA2566166134965ab65a89f5cf3935523155fd17f13b30f6bcd60fbc3eec11df039aa
SHA51211b7d9dc3ec7b0ac45ccb9c7f2ca92ad743965730f87ace4aba63419f718dcd4bdfa346c132c870e725944915b9c3577404cf6f6385625ae4bfeefe6fbc5a261
-
Filesize
660B
MD5d3eda3a4921579743a7841ae66358f45
SHA16dc5eda7898bbaaeab8a56bde476d9c523ef45a3
SHA256c2a4effa08314632340374abcc2a3a4a47a072a3cca1eafa6ffa6fb0a66f10f6
SHA5129929c0901df5ccb3c5d7784295e00af25fed91e1ad6e30ba05d7da22077da465d246a250c8ba3f66c5930d5abb44279970d40d0077b38691de143efd39c225cb
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809