Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 22:46
Static task
static1
Behavioral task
behavioral1
Sample
3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe
Resource
win10v2004-20241007-en
General
-
Target
3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe
-
Size
78KB
-
MD5
8477647e4679c817f80c33e6c46c644d
-
SHA1
83788c6ab2613c0177e4c8a8a05326379699ca64
-
SHA256
3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113
-
SHA512
ac4ea5359f0b7328a537e4730d0bff79529a886a5baa49f9d71d44ef0b14db6ed755b4ee1f6f4c2392be20749263ef2647d9752ff59d22465cfabcbc734545ab
-
SSDEEP
1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1awk:I5jS7JywQjDgTLopLwdCFJzDY9/Ek
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2716 tmp86AD.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp86AD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2760 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 30 PID 2648 wrote to memory of 2760 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 30 PID 2648 wrote to memory of 2760 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 30 PID 2648 wrote to memory of 2760 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 30 PID 2760 wrote to memory of 2896 2760 vbc.exe 32 PID 2760 wrote to memory of 2896 2760 vbc.exe 32 PID 2760 wrote to memory of 2896 2760 vbc.exe 32 PID 2760 wrote to memory of 2896 2760 vbc.exe 32 PID 2648 wrote to memory of 2716 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 33 PID 2648 wrote to memory of 2716 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 33 PID 2648 wrote to memory of 2716 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 33 PID 2648 wrote to memory of 2716 2648 3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe"C:\Users\Admin\AppData\Local\Temp\3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2qpvk4og.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8815.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8814.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
Network
-
Remote address:8.8.8.8:53Requestbejnz.comIN AResponsebejnz.comIN A44.221.84.105
-
152 B 3
-
-
152 B 3
-
-
152 B 3
-
-
152 B 3
-
-
152 B 3
-
-
152 B 3
-
-
52 B 1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD51aae9eb93d07ff39eff35b8c428b08d4
SHA17ff46a341ae5323512a45b5e6382325054565a9f
SHA2565885be5b87c3ec4fb0bd4ccbda8cb21f8df8eedc46c9ba47103a2b9a96c5dd7b
SHA51237933b7f3f3c6b5bb804ad02e6b3827f77245e138f31b1ded00862298bd3d572c7bf1342d7d10e2dabc608ab9757bbda55b7086d3e5624e406c1cb9d025c030a
-
Filesize
266B
MD57627fc9ecce15c45f22084ec608fd5ac
SHA1f9095500314f7b7b952dbfbe7faa373dac177a77
SHA256d83272ccd8186cf54b91ce976d07198369c626e9f2480caf0aa3b6e41d57e632
SHA512583e559916abae93dd71558c18674d00a2a93960f0ed6b8289c99ae85cc2fefad411644d0a43163bf7c8d5ff3a7073501c66674228aa853138d04083863ed1cd
-
Filesize
1KB
MD53bd6514963f0fcf0c487f9d9f225d82f
SHA15bca21a15326d1eb187b7ed6a2cf35ab4d922c7a
SHA2566ff20b0164df193e6d48c4795622981a98b2b620da05efe1ed569bcc10b53e4b
SHA512e8c9fe19eafb096f6c46525742f601f7d864fdbad1c124f68a57dcd59cc942080a9bce3c09eae0f008eb2e896766f4faf71171a706ee8d1fa4adb65ed8671cc1
-
Filesize
78KB
MD5537f4e615668f72f3ba9e2666c8bacb8
SHA104b72ec0d7d4de664fb7f1001ed5f57ed68f872e
SHA2569538d8735eecfb328bd36b422d96cb62903acdcf06a8ca4cc64e5f1196926d7f
SHA5124ebc186c0162468c48a750d586e241b08d890feee7123ae680f3d8bba86dae4cb46c5987cf09d89c861ad5d1439ca6671348e1c6c891636318c3f0005990bf7e
-
Filesize
660B
MD5b8a7846ae295252d08e307b9743d3746
SHA1e2728d0edea6606f1d4cbf13b32f4ff8a53680d2
SHA256d91256809f1b75455b827d800626f372950fcf39407990c9641bec3374b73b7d
SHA51249d200610ed99921d58f7f0cd69ac6b08bb6d7f5402d7e761f67a323515a718dd0f133c3b84224d499db437e85463a580fc25397772575942450daabe20dbea9
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7