Analysis
-
max time kernel
101s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe
Resource
win10v2004-20241007-en
General
-
Target
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe
-
Size
78KB
-
MD5
8a912d38b039ec348364f11af3af84fa
-
SHA1
cc7b234633b2b3e0473fdd3ab34cc942e601f7bd
-
SHA256
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b
-
SHA512
e376b43328c8b45b5ad76e43d690d05bce7c69cf2af0a728544cf09093f3290c4fd3c86ae0e2293b63d5660458bd8ec3e28884030e56a48652f8f4125e576d38
-
SSDEEP
1536:SCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtdx9/Q1dvN:SCHs3xSyRxvY3md+dWWZyj9/cN
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2064 tmpB23F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpB23F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB23F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe Token: SeDebugPrivilege 2064 tmpB23F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2484 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 30 PID 2580 wrote to memory of 2484 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 30 PID 2580 wrote to memory of 2484 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 30 PID 2580 wrote to memory of 2484 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 30 PID 2484 wrote to memory of 2068 2484 vbc.exe 32 PID 2484 wrote to memory of 2068 2484 vbc.exe 32 PID 2484 wrote to memory of 2068 2484 vbc.exe 32 PID 2484 wrote to memory of 2068 2484 vbc.exe 32 PID 2580 wrote to memory of 2064 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 33 PID 2580 wrote to memory of 2064 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 33 PID 2580 wrote to memory of 2064 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 33 PID 2580 wrote to memory of 2064 2580 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe"C:\Users\Admin\AppData\Local\Temp\24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zoxmmr11.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB378.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB377.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB23F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB23F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD545528a5986c32c6062c1b2322d1507d3
SHA1f8de5fd6a24fa7a79a2366ac0c81414d1b48b8ca
SHA256a9a7690565b669376367785161d76881046b653a4dc6db97ad503a9350854900
SHA51295c8247067c1c7466ae487faad23ab8078f12c54743096377b3162306e261576bacb3ca48a16a6a2d5ca072180b1ba12f540c3c44903bc7711a404725739a07b
-
Filesize
78KB
MD58e06f45668461750e28f46e67e2b6090
SHA1c15c399e269e825cc6f09ab6bbb625d8f8082133
SHA256eb6ee8158501526346df4e9b665b8a9d2031eb5f7f47182d97954433b61fbb35
SHA51230575bfeeae57efb0c4407db391e49762dca924e743512efa1ace684fefd5b6931e30ab91b13b8b1762b9b067dd1272e22c487bf4c94d3c7a65f9e192e419998
-
Filesize
660B
MD52f8d8439cdf20f522e63fa08cdba1185
SHA1cee00740a8e8cda1e283cdbbecf509c4b4c2abdc
SHA25610c61c9f5f5aded403b4ac97d6a3cb3bd09ee3e5cbdf3148346e143d1de7c75d
SHA512cd8cc891586b5c54c08c7d4296e67d2814f03a7a2713749f26390a7417475626e279573fa1827c742d5434d846af928c59a91a72c3caecbe4c0d5c3afe910e0a
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
Filesize
15KB
MD52c184abb408deeacfb2da663bd2d0002
SHA1642bdd8a475e6803182c3d0c67370088fdc804bf
SHA25641814328d4a6be003e7630f213b78b0170ae0a1cd64df909a1ddde406201d2bc
SHA51231de88200355b81f01c26046de9a2a011934725090c365b9f03e893c78308ee4daa40f9327ab8550741c34290ee3b1649f7056d745f01962a695fa39fbef0529
-
Filesize
266B
MD5354d8d16fcae8bdc97e346b667aa656f
SHA1c3424bf2352517da7f75cd43bea6ee1d811304fb
SHA2565ca01e65e7ada77bb1a465547680c9516b167cdaac0318fac592b7383120ab89
SHA512873983aea50bb9ef01bb3cfa1fe2c69f8e02c4e7ae4006a2835ab33fcaa06f072b97c07dca8eb16554ec177c227ba9db74c91947bf3d5976318c2ddc0c28ade5