Analysis

  • max time kernel
    116s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 20:47

General

  • Target

    e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe

  • Size

    78KB

  • MD5

    efd288a619127c41cade1dc188346430

  • SHA1

    37e0f11628b4b298d444442daad66055ca46e19a

  • SHA256

    e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26b

  • SHA512

    3141741aa36d96f752fa29c19e9781bf2dd12b9b9d00caed91647248b8a3cbb257176fe336b4436b2812b728058b725fb9d945888683e4b9c150fd8e5def0411

  • SSDEEP

    1536:aCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtG9/cc1o3:aCHF8h/l0Y9MDYrm7G9/s

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe
    "C:\Users\Admin\AppData\Local\Temp\e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwxxgdb5.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2DB.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3040
    • C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e507b509891af33480ef02a38a5a1daca9e10e094db2789016b183bd7ac9d26bN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB2DC.tmp

    Filesize

    1KB

    MD5

    74e65528f3009fd3eed265adff1a3321

    SHA1

    3400a0007fe54d2db2f501bcb35badc109d14cea

    SHA256

    d5d90d36bffdd66c09ed929e1212f1e6a90ef0588e267df0a32e6a7ded6445b1

    SHA512

    ecb1e79f3f25c4d7f04f6f85fceaaef073f59293653c12eddcfc4a8e6ae1960e37915329a5687c6313543839d5b5b44d1e4f0c5f6c373d7926c0231b0047c933

  • C:\Users\Admin\AppData\Local\Temp\kwxxgdb5.0.vb

    Filesize

    15KB

    MD5

    32b3ad61e99cb6d83cc29b77a61d20b9

    SHA1

    b286918741c8d98ffd4c6b98e6f1857c43b3c90a

    SHA256

    76682c3c2079f856ed59023b12d6ace5219ce59d4e58f6f7cc2d8575ed2fc68d

    SHA512

    16403da0bd8564c316a442589a6b5deab8aa712b4da73a06dd838d14899e8040016a62535b8f7810386667f10a183fa9d08744fda032d395188039a7d90defb4

  • C:\Users\Admin\AppData\Local\Temp\kwxxgdb5.cmdline

    Filesize

    266B

    MD5

    04fc57a26fdcc5a02ebf3c94b7dbdb4d

    SHA1

    d01154f15fc732d3a46a62aea52c3efa748cee65

    SHA256

    10e85172f1b3363b7b16ec6bf13c6f2f0d9574c05c63c92efe23843c4cb11ba2

    SHA512

    58943ace60bfbc026f81890ce162807884a79be207cf4bd6fb4d06a52ef7ab6f8f0e9449635cf9507238cbd395d9ae90a41f08d15fcc75b711e0f61918a37628

  • C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe

    Filesize

    78KB

    MD5

    925bab1448d384e18b8e4b6f86af204c

    SHA1

    422999453949d751973bfb1bb022d2df7fc70e00

    SHA256

    d2b21642f71f8f3a60a6f576770be5f61284b500e4b5b1c49c4872f42c91c732

    SHA512

    957a75023f3fcd8872709a440277d02e2c9d2781081dc908e5aa149198bec7f47342a57bfa43a7c843b935eb83c97ebc3f4783fbabd8e3db425d10772eb7f1f3

  • C:\Users\Admin\AppData\Local\Temp\vbcB2DB.tmp

    Filesize

    660B

    MD5

    d335ac1d1bc4fb5f21e2033a5b6aefec

    SHA1

    36ef3f942902d4b3c26d525dc6417e4ad4908ad4

    SHA256

    8a1e46a133d6b8ddab86d67f88f0f55233463f2cbd1972a602928628dd506cb8

    SHA512

    9fdbbbcbbdebb4f5b10a6b4113b2e97e9fb3ceae2a99a20dc1b9886bbefa00990da556fa3219e0aba17e44affc821a76b3603545af32b794bc12528f0dd4a10d

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/2328-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

    Filesize

    4KB

  • memory/2328-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2328-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2328-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB