Analysis
-
max time kernel
103s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
Resource
win10v2004-20241007-en
General
-
Target
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
-
Size
78KB
-
MD5
7eec8047ab601bd58f2c3bb8c8567d50
-
SHA1
4e68de6596162bf302c33712c013d4ab98957fdb
-
SHA256
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219e
-
SHA512
23a960119a828a0d1a17ab20fd092ce1565796877a1a60c1012ecff7b37ce7440b76bd15c61d3b79248e80a976fedf47500e2a92407a0b18d4e54733e062585c
-
SSDEEP
1536:EzWV59XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96CV9/JN1uN:qWV5tSyRxvY3md+dWWZyfV9/Ja
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2952 tmp872A.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp872A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp872A.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe Token: SeDebugPrivilege 2952 tmp872A.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2052 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 28 PID 2412 wrote to memory of 2052 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 28 PID 2412 wrote to memory of 2052 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 28 PID 2412 wrote to memory of 2052 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 28 PID 2052 wrote to memory of 2260 2052 vbc.exe 30 PID 2052 wrote to memory of 2260 2052 vbc.exe 30 PID 2052 wrote to memory of 2260 2052 vbc.exe 30 PID 2052 wrote to memory of 2260 2052 vbc.exe 30 PID 2412 wrote to memory of 2952 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 31 PID 2412 wrote to memory of 2952 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 31 PID 2412 wrote to memory of 2952 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 31 PID 2412 wrote to memory of 2952 2412 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe"C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1edqymlr.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8805.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8804.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp872A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp872A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD54dd2965a801a55e2ae7d42ac585a5a96
SHA19c576d9fe9d87977b04fff9c4a0fbb50f38c653f
SHA256867e25475885fe17a6995924e35af88d92f56f80892444f4e635a851567d3980
SHA5128d4b9591c06a19134ab2969ca9d18e0f8b29c44193729b9a95240ddc39f3f11ca5c40457a5ff2fda1986c05192c2e514d654692ed640a0446d2972fe4ffc6515
-
Filesize
266B
MD50d2d1c418bc937b9a65088f67c8ffd3a
SHA1aef1978586a050c84303ea363453ce946e23b143
SHA2560507c7fbdc895c532d6813ef21a06ff6c19af75d2bbdbacd41d0beadee7015d8
SHA5125c2e039ef62e0a0067a9a849a2acc44b6a7732aa3c6abc770185b28fa07414f119c94c76c3e2cf6043841f7cf37a8e2c85a72d0e0adfb3b332ec049494f98f0f
-
Filesize
1KB
MD50bba484d55d7c7d12df7bc9b335dfdd7
SHA18644d1e7eb0c4c003de0e23ecddf8233878ff708
SHA256135231d7216f9f2f3eecb0610ce3144018aa2800b9cf2dd4e1059e022183916e
SHA51260d7766a7802742ddaa302fbc036852264dae2e786bb52c2eafaddd3f1959937082338644bab5e0b722cf01bf11fba6af2d4af9e319be1c3894791f477e80dc0
-
Filesize
78KB
MD5a31cca23abc76e98fdb919de65b3b548
SHA1232ad3c28a75e53b448351584aa463a56d99cdcc
SHA2568d40c5af7b6da969370573ce70f2abfcba670128c95ab0f5914f9fb5ec8c6e1c
SHA512d3ccfa316a5491c67a27eafe1cd17e3700684be635f414a02b5e8a4f7592b0cfa8f46b8f7ac69cebe112a40d02be3aa0c10529acd3d0991874b029f2307eb288
-
Filesize
660B
MD58c3bc4e4dcd5cde48b4d6b1c87e40f95
SHA15628fd38afec753396e5fb44d98b3205661444c8
SHA256c178f4cc32f4f58e15bd6af8ee6945c7377548332a9594c5cf9732bd5f5fefd2
SHA512d373be90ced3a9b80a60e5d6b12e5abb7400edc620d3f468572df6543681084b1b743155505f078a9151dfb1ca1351640669e7996825bff1087565fbfcb90f38
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107