Analysis

  • max time kernel
    103s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 19:46

General

  • Target

    c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe

  • Size

    78KB

  • MD5

    7eec8047ab601bd58f2c3bb8c8567d50

  • SHA1

    4e68de6596162bf302c33712c013d4ab98957fdb

  • SHA256

    c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219e

  • SHA512

    23a960119a828a0d1a17ab20fd092ce1565796877a1a60c1012ecff7b37ce7440b76bd15c61d3b79248e80a976fedf47500e2a92407a0b18d4e54733e062585c

  • SSDEEP

    1536:EzWV59XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96CV9/JN1uN:qWV5tSyRxvY3md+dWWZyfV9/Ja

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
    "C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1edqymlr.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8805.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8804.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2260
    • C:\Users\Admin\AppData\Local\Temp\tmp872A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp872A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1edqymlr.0.vb

    Filesize

    14KB

    MD5

    4dd2965a801a55e2ae7d42ac585a5a96

    SHA1

    9c576d9fe9d87977b04fff9c4a0fbb50f38c653f

    SHA256

    867e25475885fe17a6995924e35af88d92f56f80892444f4e635a851567d3980

    SHA512

    8d4b9591c06a19134ab2969ca9d18e0f8b29c44193729b9a95240ddc39f3f11ca5c40457a5ff2fda1986c05192c2e514d654692ed640a0446d2972fe4ffc6515

  • C:\Users\Admin\AppData\Local\Temp\1edqymlr.cmdline

    Filesize

    266B

    MD5

    0d2d1c418bc937b9a65088f67c8ffd3a

    SHA1

    aef1978586a050c84303ea363453ce946e23b143

    SHA256

    0507c7fbdc895c532d6813ef21a06ff6c19af75d2bbdbacd41d0beadee7015d8

    SHA512

    5c2e039ef62e0a0067a9a849a2acc44b6a7732aa3c6abc770185b28fa07414f119c94c76c3e2cf6043841f7cf37a8e2c85a72d0e0adfb3b332ec049494f98f0f

  • C:\Users\Admin\AppData\Local\Temp\RES8805.tmp

    Filesize

    1KB

    MD5

    0bba484d55d7c7d12df7bc9b335dfdd7

    SHA1

    8644d1e7eb0c4c003de0e23ecddf8233878ff708

    SHA256

    135231d7216f9f2f3eecb0610ce3144018aa2800b9cf2dd4e1059e022183916e

    SHA512

    60d7766a7802742ddaa302fbc036852264dae2e786bb52c2eafaddd3f1959937082338644bab5e0b722cf01bf11fba6af2d4af9e319be1c3894791f477e80dc0

  • C:\Users\Admin\AppData\Local\Temp\tmp872A.tmp.exe

    Filesize

    78KB

    MD5

    a31cca23abc76e98fdb919de65b3b548

    SHA1

    232ad3c28a75e53b448351584aa463a56d99cdcc

    SHA256

    8d40c5af7b6da969370573ce70f2abfcba670128c95ab0f5914f9fb5ec8c6e1c

    SHA512

    d3ccfa316a5491c67a27eafe1cd17e3700684be635f414a02b5e8a4f7592b0cfa8f46b8f7ac69cebe112a40d02be3aa0c10529acd3d0991874b029f2307eb288

  • C:\Users\Admin\AppData\Local\Temp\vbc8804.tmp

    Filesize

    660B

    MD5

    8c3bc4e4dcd5cde48b4d6b1c87e40f95

    SHA1

    5628fd38afec753396e5fb44d98b3205661444c8

    SHA256

    c178f4cc32f4f58e15bd6af8ee6945c7377548332a9594c5cf9732bd5f5fefd2

    SHA512

    d373be90ced3a9b80a60e5d6b12e5abb7400edc620d3f468572df6543681084b1b743155505f078a9151dfb1ca1351640669e7996825bff1087565fbfcb90f38

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    4f0e8cf79edb6cd381474b21cabfdf4a

    SHA1

    7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

    SHA256

    e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

    SHA512

    2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

  • memory/2052-8-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

  • memory/2052-18-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

  • memory/2412-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

    Filesize

    4KB

  • memory/2412-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

  • memory/2412-3-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB

  • memory/2412-24-0x0000000074BF0000-0x000000007519B000-memory.dmp

    Filesize

    5.7MB