Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 19:32

General

  • Target

    a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe

  • Size

    78KB

  • MD5

    d55f100cfb933229802926d5e142a700

  • SHA1

    b58f25f840f8a95793df1ae0ca3fe1757eeb6116

  • SHA256

    a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4

  • SHA512

    ee2ef6aeefbceea0c98ff4fee92ffe45bdd7a7a96cdcea93bd187a90742025c9b87002a73c626e76f5077527a889dbfcf142e6bda3e028b7c1b63a390772fb85

  • SSDEEP

    1536:n858RpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6V9/cM1KR:858nJywQjDgTLopLwdCFJzi9/m

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe
    "C:\Users\Admin\AppData\Local\Temp\a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aeom3j9q.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF49D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF49C.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESF49D.tmp

    Filesize

    1KB

    MD5

    17811b3c28036abe842287e03c60925a

    SHA1

    81569eb0f5937a9bcfbaeaed05416768fc9b99d5

    SHA256

    08a3c6904f84d19c6186753f09e8b8c988d2425955053e73baac803e275ca213

    SHA512

    45a72c5e02a4cfa587ea284527f1354a756f1c8a0d482ddc00d8f69d5098cf1ee861138e8abab74b695ec4ebce7cd9eaa0319d8eacbe694738a982822b0d04e4

  • C:\Users\Admin\AppData\Local\Temp\aeom3j9q.0.vb

    Filesize

    14KB

    MD5

    56e0d1af10a0336dafed1dac221ac8eb

    SHA1

    f28bbcda52a293429923835c8162a032dd01ead1

    SHA256

    36547201a74b0feb2925cf31532412adf6014a7862027539b4ddc30fbadbc59e

    SHA512

    d4005415b0bdf8879cb66dd90de68cb9b548960a7b9dcf47b0d80727e0bc6fd9981456a18bf374946bd16f4270cba43d21eca04fddc7bd763fbbc7cc1bcde93f

  • C:\Users\Admin\AppData\Local\Temp\aeom3j9q.cmdline

    Filesize

    266B

    MD5

    5f547d9948560e9c64ce33afe2adc457

    SHA1

    fec3d73c4eafe1c68caf38ca321733caf5408e08

    SHA256

    61411fbee526b3a65b44134165f3542ec444d119d7d67b4df0836d562b2a1b2a

    SHA512

    d40e7b45a13c8458e29c9d9aff1af6e2a435e14b9fbcfaf54d810544eb6e84eec30d1f636a85fc9abe07bf2b451f3ca173785be37579029d720f9852d43c9c6b

  • C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmp.exe

    Filesize

    78KB

    MD5

    d9621f63d1f9fd6ebff8132f6b40f5c7

    SHA1

    07e1ba6ff586b8faee9188b90c61e0df27d4347f

    SHA256

    e85fef6ce0b3c11835c3685e3ab6d59eb1d459e4bdcbb44c5570c1eda14bda2d

    SHA512

    f88708b373a7e20d3dd887f7b51b593ebc8ead5a2c6e8bcc620d13be29c684c09dfe0fe649d7e989ae4fb77d27a40ecb3709c89083f850ca4ef5f149b6da55c1

  • C:\Users\Admin\AppData\Local\Temp\vbcF49C.tmp

    Filesize

    660B

    MD5

    9235a8ca39d7d82370b69009c96e7596

    SHA1

    be3cc3a0611783ad47ec86c49e8b2c0c6b4697d6

    SHA256

    183b8ba4b34dab8529f10b65b6dbdb465bf51b9abd9bea940041b0204cd8c5d7

    SHA512

    3db28773d24afdabf919807d0525cb1d6c1bdc9d6114b1294f8e931fbc8e54bf244991bd464e7fb601b64f00fc5da00aabced768bececa7c9509907136862818

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/2756-0-0x0000000074701000-0x0000000074702000-memory.dmp

    Filesize

    4KB

  • memory/2756-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2756-2-0x0000000074700000-0x0000000074CAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2756-24-0x0000000074700000-0x0000000074CAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2764-8-0x0000000074700000-0x0000000074CAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2764-18-0x0000000074700000-0x0000000074CAB000-memory.dmp

    Filesize

    5.7MB