Analysis
-
max time kernel
116s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 20:47
Static task
static1
Behavioral task
behavioral1
Sample
e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe
Resource
win10v2004-20241007-en
General
-
Target
e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe
-
Size
78KB
-
MD5
efd288a619127c41cade1dc188346430
-
SHA1
37e0f11628b4b298d444442daad66055ca46e19a
-
SHA256
e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26b
-
SHA512
3141741aa36d96f752fa29c19e9781bf2dd12b9b9d00caed91647248b8a3cbb257176fe336b4436b2812b728058b725fb9d945888683e4b9c150fd8e5def0411
-
SSDEEP
1536:aCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtG9/cc1o3:aCHF8h/l0Y9MDYrm7G9/s
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2976 tmpB24F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpB24F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB24F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe Token: SeDebugPrivilege 2976 tmpB24F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2440 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 30 PID 2328 wrote to memory of 2440 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 30 PID 2328 wrote to memory of 2440 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 30 PID 2328 wrote to memory of 2440 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 30 PID 2440 wrote to memory of 3040 2440 vbc.exe 32 PID 2440 wrote to memory of 3040 2440 vbc.exe 32 PID 2440 wrote to memory of 3040 2440 vbc.exe 32 PID 2440 wrote to memory of 3040 2440 vbc.exe 32 PID 2328 wrote to memory of 2976 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 33 PID 2328 wrote to memory of 2976 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 33 PID 2328 wrote to memory of 2976 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 33 PID 2328 wrote to memory of 2976 2328 e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe"C:\Users\Admin\AppData\Local\Temp\e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwxxgdb5.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2DB.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD574e65528f3009fd3eed265adff1a3321
SHA13400a0007fe54d2db2f501bcb35badc109d14cea
SHA256d5d90d36bffdd66c09ed929e1212f1e6a90ef0588e267df0a32e6a7ded6445b1
SHA512ecb1e79f3f25c4d7f04f6f85fceaaef073f59293653c12eddcfc4a8e6ae1960e37915329a5687c6313543839d5b5b44d1e4f0c5f6c373d7926c0231b0047c933
-
Filesize
15KB
MD532b3ad61e99cb6d83cc29b77a61d20b9
SHA1b286918741c8d98ffd4c6b98e6f1857c43b3c90a
SHA25676682c3c2079f856ed59023b12d6ace5219ce59d4e58f6f7cc2d8575ed2fc68d
SHA51216403da0bd8564c316a442589a6b5deab8aa712b4da73a06dd838d14899e8040016a62535b8f7810386667f10a183fa9d08744fda032d395188039a7d90defb4
-
Filesize
266B
MD504fc57a26fdcc5a02ebf3c94b7dbdb4d
SHA1d01154f15fc732d3a46a62aea52c3efa748cee65
SHA25610e85172f1b3363b7b16ec6bf13c6f2f0d9574c05c63c92efe23843c4cb11ba2
SHA51258943ace60bfbc026f81890ce162807884a79be207cf4bd6fb4d06a52ef7ab6f8f0e9449635cf9507238cbd395d9ae90a41f08d15fcc75b711e0f61918a37628
-
Filesize
78KB
MD5925bab1448d384e18b8e4b6f86af204c
SHA1422999453949d751973bfb1bb022d2df7fc70e00
SHA256d2b21642f71f8f3a60a6f576770be5f61284b500e4b5b1c49c4872f42c91c732
SHA512957a75023f3fcd8872709a440277d02e2c9d2781081dc908e5aa149198bec7f47342a57bfa43a7c843b935eb83c97ebc3f4783fbabd8e3db425d10772eb7f1f3
-
Filesize
660B
MD5d335ac1d1bc4fb5f21e2033a5b6aefec
SHA136ef3f942902d4b3c26d525dc6417e4ad4908ad4
SHA2568a1e46a133d6b8ddab86d67f88f0f55233463f2cbd1972a602928628dd506cb8
SHA5129fdbbbcbbdebb4f5b10a6b4113b2e97e9fb3ceae2a99a20dc1b9886bbefa00990da556fa3219e0aba17e44affc821a76b3603545af32b794bc12528f0dd4a10d
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d