Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 19:32
Static task
static1
Behavioral task
behavioral1
Sample
a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe
Resource
win10v2004-20241007-en
General
-
Target
a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe
-
Size
78KB
-
MD5
d55f100cfb933229802926d5e142a700
-
SHA1
b58f25f840f8a95793df1ae0ca3fe1757eeb6116
-
SHA256
a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4
-
SHA512
ee2ef6aeefbceea0c98ff4fee92ffe45bdd7a7a96cdcea93bd187a90742025c9b87002a73c626e76f5077527a889dbfcf142e6bda3e028b7c1b63a390772fb85
-
SSDEEP
1536:n858RpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6V9/cM1KR:858nJywQjDgTLopLwdCFJzi9/m
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2760 tmpF3B2.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF3B2.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2764 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 30 PID 2756 wrote to memory of 2764 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 30 PID 2756 wrote to memory of 2764 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 30 PID 2756 wrote to memory of 2764 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 30 PID 2764 wrote to memory of 2716 2764 vbc.exe 32 PID 2764 wrote to memory of 2716 2764 vbc.exe 32 PID 2764 wrote to memory of 2716 2764 vbc.exe 32 PID 2764 wrote to memory of 2716 2764 vbc.exe 32 PID 2756 wrote to memory of 2760 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 33 PID 2756 wrote to memory of 2760 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 33 PID 2756 wrote to memory of 2760 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 33 PID 2756 wrote to memory of 2760 2756 a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe"C:\Users\Admin\AppData\Local\Temp\a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aeom3j9q.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF49D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF49C.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a1d457d172edfc07dcdb6823544b20148ddbd4e34b287915f7771041a89219b4N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517811b3c28036abe842287e03c60925a
SHA181569eb0f5937a9bcfbaeaed05416768fc9b99d5
SHA25608a3c6904f84d19c6186753f09e8b8c988d2425955053e73baac803e275ca213
SHA51245a72c5e02a4cfa587ea284527f1354a756f1c8a0d482ddc00d8f69d5098cf1ee861138e8abab74b695ec4ebce7cd9eaa0319d8eacbe694738a982822b0d04e4
-
Filesize
14KB
MD556e0d1af10a0336dafed1dac221ac8eb
SHA1f28bbcda52a293429923835c8162a032dd01ead1
SHA25636547201a74b0feb2925cf31532412adf6014a7862027539b4ddc30fbadbc59e
SHA512d4005415b0bdf8879cb66dd90de68cb9b548960a7b9dcf47b0d80727e0bc6fd9981456a18bf374946bd16f4270cba43d21eca04fddc7bd763fbbc7cc1bcde93f
-
Filesize
266B
MD55f547d9948560e9c64ce33afe2adc457
SHA1fec3d73c4eafe1c68caf38ca321733caf5408e08
SHA25661411fbee526b3a65b44134165f3542ec444d119d7d67b4df0836d562b2a1b2a
SHA512d40e7b45a13c8458e29c9d9aff1af6e2a435e14b9fbcfaf54d810544eb6e84eec30d1f636a85fc9abe07bf2b451f3ca173785be37579029d720f9852d43c9c6b
-
Filesize
78KB
MD5d9621f63d1f9fd6ebff8132f6b40f5c7
SHA107e1ba6ff586b8faee9188b90c61e0df27d4347f
SHA256e85fef6ce0b3c11835c3685e3ab6d59eb1d459e4bdcbb44c5570c1eda14bda2d
SHA512f88708b373a7e20d3dd887f7b51b593ebc8ead5a2c6e8bcc620d13be29c684c09dfe0fe649d7e989ae4fb77d27a40ecb3709c89083f850ca4ef5f149b6da55c1
-
Filesize
660B
MD59235a8ca39d7d82370b69009c96e7596
SHA1be3cc3a0611783ad47ec86c49e8b2c0c6b4697d6
SHA256183b8ba4b34dab8529f10b65b6dbdb465bf51b9abd9bea940041b0204cd8c5d7
SHA5123db28773d24afdabf919807d0525cb1d6c1bdc9d6114b1294f8e931fbc8e54bf244991bd464e7fb601b64f00fc5da00aabced768bececa7c9509907136862818
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7