Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe
Resource
win10v2004-20241007-en
General
-
Target
ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe
-
Size
78KB
-
MD5
eb867603263e1533539240cffa2b3529
-
SHA1
c560a66900814132514b1c9528b0bda5aef5d109
-
SHA256
ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd
-
SHA512
d331b1bb4ca159f677875251fc848b58c21fbadd58cac6b1b4bf0f8eebd9b10338f99b28920d47e2d03d51ebfa5d7a2b0530ce120ea406e827e59b1039536556
-
SSDEEP
1536:7Py58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN629/m1YBp:7Py58WSyRxvhTzXPvCbW2UZ9/Xp
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2748 tmp8B10.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp8B10.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8B10.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe Token: SeDebugPrivilege 2748 tmp8B10.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2380 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 30 PID 2524 wrote to memory of 2380 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 30 PID 2524 wrote to memory of 2380 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 30 PID 2524 wrote to memory of 2380 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 30 PID 2380 wrote to memory of 2804 2380 vbc.exe 32 PID 2380 wrote to memory of 2804 2380 vbc.exe 32 PID 2380 wrote to memory of 2804 2380 vbc.exe 32 PID 2380 wrote to memory of 2804 2380 vbc.exe 32 PID 2524 wrote to memory of 2748 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 33 PID 2524 wrote to memory of 2748 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 33 PID 2524 wrote to memory of 2748 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 33 PID 2524 wrote to memory of 2748 2524 ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe"C:\Users\Admin\AppData\Local\Temp\ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nh3pszkg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C0A.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea06287de22310bc288a440eddce3302d3af9f79c80194d654b519c3f4dba9bd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52b2e19aeb9ff770e0ffb2b727552754b
SHA17de0df10b2e36dd1fc5dbf68f8c32c5ee4d43127
SHA2567e3113ca6d31a5c018101eb1a54fdb414bb6002d19289c76daca273d0bfa75a3
SHA51247e98dc1878bb3fedce5254027aa3c37c56c4cdf5a1410d8c621b839f35491a2f0a2bb11d4e399152cb42b781920f92aab8e0f4570ae99dd70d91b1a08667f09
-
Filesize
14KB
MD5ca2f8eec5aa28e7818059965faccd14d
SHA1bea9c83845aecbedfe87206ca74853254d921943
SHA256f6f606998cd4a9fd23067ff3d141dfdd10cbea7e857e8902452670f7e562691c
SHA512d10cc21823c14a3886fb6906584e5bcdbb87613b9db6be3399ec797d988352e72492d08910ab3dad3a3e11fb31fc9094e7b1915c9cb045052fa28f12dc0366c1
-
Filesize
266B
MD54c36d6548abaf966b377f262818ad18b
SHA1253b1e573264502de370e35fcca276d3aad98922
SHA25634cc33955dea48065df0c4fd50bd00b3f881a9d2a83c2e5f034e0a6c51e6bae4
SHA512bda69b8f0537343245ecd26e04deefba3ee4ec88635308dea3c1269e905ef108c3c7b7e9d9a318a7d8e0dbac8c43fc68a976f73b43c7978a92ca45453fd61b16
-
Filesize
78KB
MD5ad92104b267bf93bd1673bec36261caf
SHA11b0ff9bdd05bb08eb1f983e9f090e9bbc145b135
SHA256fe58d5af5f27da5bead7167b2248f582c8e8afeab907c7522f03129865bbe622
SHA51244d064fe8b236731f4db96b9807c575c92708e625cdd68f943afa317689f6ff93ee94d6639edd68f330857087939b73e4e977e05bf3b928c50ef00f01fbd4078
-
Filesize
660B
MD5171e2b37595110f1ba4a80706af92301
SHA1c79ecb6d36523e89897a3b6d3fcec609cfb58ec7
SHA256fb4e90ad82fc182cb84a981ccd5b8c22d77d6854ac8e9196a4afd5507126fe9d
SHA5127c04dd921e5bb10bff9456d1f66c6dd019da491db1752e0544c0af45e99b6a6b5d1da218e8524a3685b7f9953f53084097ab0d563936ef1a1337319d1e3a050c
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c