Analysis
-
max time kernel
111s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe
Resource
win10v2004-20241007-en
General
-
Target
a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe
-
Size
78KB
-
MD5
bccfd2f671f53447e907641021e413ce
-
SHA1
153f183bba5420907f35a4e1712c793e3bd5d9d3
-
SHA256
a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d
-
SHA512
8ec24938cd929119a71ccef094a4034f26a56c36c8fa5caa16aeca6f9321950b81108834608fba205f421f50cef6b995680a4fc0b29ad6fc2ef66fa2efa71bc0
-
SSDEEP
1536:4PWV5jAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6A9/o01Gtp:4PWV5j4SyRxvhTzXPvCbW2UI9/Mp
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2448 tmpD71D.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpD71D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD71D.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe Token: SeDebugPrivilege 2448 tmpD71D.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2256 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 31 PID 2848 wrote to memory of 2256 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 31 PID 2848 wrote to memory of 2256 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 31 PID 2848 wrote to memory of 2256 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 31 PID 2256 wrote to memory of 2496 2256 vbc.exe 33 PID 2256 wrote to memory of 2496 2256 vbc.exe 33 PID 2256 wrote to memory of 2496 2256 vbc.exe 33 PID 2256 wrote to memory of 2496 2256 vbc.exe 33 PID 2848 wrote to memory of 2448 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 34 PID 2848 wrote to memory of 2448 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 34 PID 2848 wrote to memory of 2448 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 34 PID 2848 wrote to memory of 2448 2848 a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe"C:\Users\Admin\AppData\Local\Temp\a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpx5jof6.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD894.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD893.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD71D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD71D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a16151de5e9f8b0d7bcbf21125630d3abd2e15dde8dd0e42fe078528b4325d6d.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53ea12ea8480d5fba71b0860af42c42ce
SHA14bf9c777edb97c03064f379f3645897ecf521fb3
SHA2569a4764b3dc41911a4101a1aec5b0d53d64e48adf5af70118cf6a8cfd9b16c207
SHA5126006605a3356daefb05e486b6c7b1c01ef654fdc1275e53cdf582cdd1cca46cbc9ca48a3d34d0e0c403993fbc38f6988889142b0071c066784e562fcfdd4ece6
-
Filesize
14KB
MD56e641960caf881cd5d56fd020700c153
SHA1535b9c261241a2acc0f26acc82450ceb1226c806
SHA2560ee72e70147603b3bc48bf619d2e2c549c5d64a63c3001e38349bfddd4808304
SHA512b9795f2fd304aee16fc13dd6fefaa11fbbbfe2cffd23fe2bc72be31001060fe6f28b6865db94387ffd599f9d1a9fd8464bd0c10891586a59a256b1a476047236
-
Filesize
266B
MD55682dd76868a1e2f1a38467a15fbf298
SHA1b4ea82c6ee22b80ba877376ede9ed83037477073
SHA2562c23e65589a0b5532be78be4d980a011081e7a44fdb24909ec3863cb3e060fc1
SHA51210da9badd08d8f72c3bc5fb4b0efb9e794daef01b7890762a59040aa374d66840da9eaa9e4c6f08a0b267025ab4589ba4d2304f189bec3c1859628e46767f1f8
-
Filesize
78KB
MD5c38413a320d584d6691101821e912952
SHA1714511bdfa159926b1a07b0a789b6d2fddf50b10
SHA2565cf618f1e278c105ae6f3d18676ef91d06f7ab5aeac3030aaeb5439095240342
SHA51233d95e9c4b7a5b69cef9db4e81ea641220ef3eab7c0cd30109f23555be6bb3b249c44c4900ecb0acf49d2046669690903bcd4d484f1b5aae8c25268b05fa279b
-
Filesize
660B
MD52c54ce3eecf353602a972a0172e66756
SHA1cd873a14ac00de4ec2ca9be47a98f90d4c1bd7be
SHA25699ba2fd9a0303881cbf9846d3f266e74b0267e9a2c9a336be8cd310dafd8e0dd
SHA5129ce12319334723ab186f1c2d0989ae7c0eac70610b7750ccd44ce667b5c202c03faae9372266e7ff49e4deead139226fa4cbc6dcdb5b1bcafbe9e6fab7e4ed2b
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c