Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 20:59
Static task
static1
Behavioral task
behavioral1
Sample
32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe
Resource
win10v2004-20241007-en
General
-
Target
32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe
-
Size
78KB
-
MD5
f14f6ac28e8e3559bed3779ba0058150
-
SHA1
7dd248561c20ab8553e817a1f2ce22733149e0dc
-
SHA256
32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0
-
SHA512
f717ecc7267d031042b6d39d21b799480c002ebec4fd0363ec25b648927a95eb3d6088382deaec5a42381746fb4e664e1bd80b25e81b9d9b1765c074e67025c9
-
SSDEEP
1536:0WtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLc9/w1k:0WtHFo8dSE2EwR4uY41HyvYLc9/x
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2924 tmpC64B.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpC64B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC64B.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe Token: SeDebugPrivilege 2924 tmpC64B.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2296 wrote to memory of 3036 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 30 PID 2296 wrote to memory of 3036 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 30 PID 2296 wrote to memory of 3036 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 30 PID 2296 wrote to memory of 3036 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 30 PID 3036 wrote to memory of 2192 3036 vbc.exe 32 PID 3036 wrote to memory of 2192 3036 vbc.exe 32 PID 3036 wrote to memory of 2192 3036 vbc.exe 32 PID 3036 wrote to memory of 2192 3036 vbc.exe 32 PID 2296 wrote to memory of 2924 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 33 PID 2296 wrote to memory of 2924 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 33 PID 2296 wrote to memory of 2924 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 33 PID 2296 wrote to memory of 2924 2296 32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe"C:\Users\Admin\AppData\Local\Temp\32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2onjwfim.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC87E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC87D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51e18e8a5c11ee55c9fb624ea0a6f292e
SHA1c11860e22483d726e7b0fdf5aa41da87804e50ec
SHA256375bc17920e6037a51021d4d608959a81e08a7a772c60f4cf1f0cf1fda20216c
SHA512c38f0a03e66362b2cf039de8bbb241a591462c0392d7d51c524988e226d3b8df542605caf57660b256d8ac8ad192c4b37b88fd516520e6d20a5c8c0e9f96ea93
-
Filesize
266B
MD58b91f780f14f32e981e09df16e328df7
SHA1f73c741e5ec9c8fff0a149f226b73ea3464b5151
SHA25647328640ed065188595e232db761b774784ce34cc68bbfe09233dbc02e64b7b4
SHA5122760d2de4f44b438c3bde6f9ae3c27e523f073fe0e1f0de803123e3e1e76c9bc6dc67eb575ec3e98ae58280225b9c73595d9c865411416f038db5016b5231e68
-
Filesize
1KB
MD5c49b4f7520ed7a06eb3ecbe939a0cd8b
SHA1f8527479e312e3012c550a735b711780cb543532
SHA256134c70e27877516f53ad768d5f513ded157c1f0d533dd9b73fd3daf1f3d3e43d
SHA512d3c866c5f23feaed96df33d148fd7b8f49ba5976e6e9f853883b1c121665de57b8786cf45261d1bafd07911d01efd55de6097d08063bc9a79181ac19a7fc0bca
-
Filesize
78KB
MD58d2dfe8f31d117a3c141459fa8bb28c2
SHA1861a831564da94e14302ca86e8f39e9e695c1b0a
SHA256474b3de1ca20ca2a71405225d04e4969398179f33af1174489ed852b9920c138
SHA5124b4ead92755de0728ebd5d20ee9a6f95fbac7aa8957750f9a269324aa9c1438704c8b2e8dfe4d887fba65c7ae727d8e6dbbcb8fd547e017f9a977afa251ea99a
-
Filesize
660B
MD5d548c1f050c277a0c399776d170bfd8a
SHA1cd964bce4b99fbb30b24257630b4fccbef52f11b
SHA256ba6bcd9dc55af92c9da53d1325bd07228c16f2c045cf1ece712c3ab6180e9521
SHA512cd072bb5fab10e030be5aa88e25ddd42f771a0d55d40d7dc24d82ccf83faaad11290ef1b168d0259afd8ec0189d0544c24edd3fa9899554e88202af4006e8d04
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809