Overview

overview

10

Static

static

3

32f8c78ae8...0N.exe

windows7-x64

10

32f8c78ae8...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 20:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe

  • Size

    78KB

  • MD5

    f14f6ac28e8e3559bed3779ba0058150

  • SHA1

    7dd248561c20ab8553e817a1f2ce22733149e0dc

  • SHA256

    32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0

  • SHA512

    f717ecc7267d031042b6d39d21b799480c002ebec4fd0363ec25b648927a95eb3d6088382deaec5a42381746fb4e664e1bd80b25e81b9d9b1765c074e67025c9

  • SSDEEP

    1536:0WtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLc9/w1k:0WtHFo8dSE2EwR4uY41HyvYLc9/x

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brpjf22r.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83AE29D54F2C4C75BEAA5FC153E4C164.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4516
    • C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\32f8c78ae8a0530f0c6c8741251ff462631288097e0656c1143970dbca8078a0N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESF8F6.tmp
          Filesize

          1KB

          MD5

          3994a8bcd8848a4f17b4ec677e6f52dd

          SHA1

          aafcc9e6dcda5256699bac5facb2e36f1778b6a4

          SHA256

          37432b418ed371d8c80851da6e0599411ec8e069135d9156a14234487f9b3fd4

          SHA512

          4d7e35f4925b86e9436c6cbc6cbbec6fb729a544840e82c4b8499bb5ee2aa9d636ed9e875c423320813a8c17878864b632acca722077970f40f3f244abe81b33

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\brpjf22r.0.vb
          Filesize

          15KB

          MD5

          3e9ebdfb586516be1a2ffa0ef47a5a7c

          SHA1

          3082b5717a6cc7143066e9a9c06d5f40427f4dd3

          SHA256

          f2ec94b11fc733189b4442a0c787d686d9977869004029035469e694ba926b51

          SHA512

          9b113ef26c0e4c722a70d3deccfad81b122ce48273f990f2d01c8f0db41fd13f2e3ac5d9b36ec5000c25868d3ca932f86dfd2723ed5c8c18ded9384cbbaebb2d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\brpjf22r.cmdline
          Filesize

          266B

          MD5

          83437fb3972fbc7ab3af737f2a2e2d58

          SHA1

          a6e55c6aa6a9665cfbedb2d0d2cd38fcc8246f72

          SHA256

          bd4f341b647f1aff0227afdd7e3c1fa36023f6024a15dd8e8368462392a4345a

          SHA512

          d492abefd43ddb045a8f3cbfd6013a6f14d203cd6203be17092c884ae15869ffef02608e19428c26f83043da9cc09a16d77fccadd4bafc9e13effc54dad10922

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.exe
          Filesize

          78KB

          MD5

          d6fd3e528ef6e054fa0fe8e2893fc6e4

          SHA1

          729ccc64ca4fe3bdd1e6fff69de262799516f5ec

          SHA256

          c43f7958c5b8d2a70b08db05f03856271dd70f28da36f25c810a356a11ad58e3

          SHA512

          b0b9bb3482e5e8a9bf200ffe61236f09b47f02df03e6bebdb619e53c0539e2a9fc4b9da56b9c80303b66f90ce11d8ef1cc78f76be8c904d0ee1616f680661aed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vbc83AE29D54F2C4C75BEAA5FC153E4C164.TMP
          Filesize

          660B

          MD5

          3cbd7e88efcae335cbe1edfd61fd851f

          SHA1

          0a210e6929d437c266881a2216ad90f52d8f1eab

          SHA256

          b87fce38f3b390eb54eca0109da16ebf0fae4913ec4b7b0c80a4b54bb9dfadc2

          SHA512

          a520e0e2a00b5aae2013bb09a68bee2b7c4add0dd39eaf7646ec29aa8d1170253a7aa12dad8daa7b6ba3ff0bae19cc3594f9a88742b6ff4a94cf899c206d6eb4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zCom.resources
          Filesize

          62KB

          MD5

          6870a276e0bed6dd5394d178156ebad0

          SHA1

          9b6005e5771bb4afb93a8862b54fe77dc4d203ee

          SHA256

          69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

          SHA512

          3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

          Download Submit

        • memory/2376-9-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2376-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3544-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3544-0-0x0000000075522000-0x0000000075523000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3544-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3544-23-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4060-24-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4060-22-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4060-26-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4060-27-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4060-28-0x0000000075520000-0x0000000075AD1000-memory.dmp

          Filesize

          5.7MB

          Download