Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 22:46

General

  • Target

    3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe

  • Size

    78KB

  • MD5

    8477647e4679c817f80c33e6c46c644d

  • SHA1

    83788c6ab2613c0177e4c8a8a05326379699ca64

  • SHA256

    3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113

  • SHA512

    ac4ea5359f0b7328a537e4730d0bff79529a886a5baa49f9d71d44ef0b14db6ed755b4ee1f6f4c2392be20749263ef2647d9752ff59d22465cfabcbc734545ab

  • SSDEEP

    1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1awk:I5jS7JywQjDgTLopLwdCFJzDY9/Ek

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe
    "C:\Users\Admin\AppData\Local\Temp\3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2qpvk4og.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8815.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8814.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2896
    • C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3a6866c3f0249aba64ca0b28c341df77570acd7f77e6bef3394a62f9c41f9113.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2716

Network

  • flag-us
    DNS
    bejnz.com
    tmp86AD.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    bejnz.com
    IN A
    Response
    bejnz.com
    IN A
    44.221.84.105
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    152 B
    3
  • 127.0.0.1:127
    tmp86AD.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    152 B
    3
  • 127.0.0.1:127
    tmp86AD.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    152 B
    3
  • 127.0.0.1:127
    tmp86AD.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    152 B
    3
  • 127.0.0.1:127
    tmp86AD.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    152 B
    3
  • 127.0.0.1:127
    tmp86AD.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    152 B
    3
  • 127.0.0.1:127
    tmp86AD.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp86AD.tmp.exe
    52 B
    1
  • 8.8.8.8:53
    bejnz.com
    dns
    tmp86AD.tmp.exe
    55 B
    71 B
    1
    1

    DNS Request

    bejnz.com

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2qpvk4og.0.vb

    Filesize

    14KB

    MD5

    1aae9eb93d07ff39eff35b8c428b08d4

    SHA1

    7ff46a341ae5323512a45b5e6382325054565a9f

    SHA256

    5885be5b87c3ec4fb0bd4ccbda8cb21f8df8eedc46c9ba47103a2b9a96c5dd7b

    SHA512

    37933b7f3f3c6b5bb804ad02e6b3827f77245e138f31b1ded00862298bd3d572c7bf1342d7d10e2dabc608ab9757bbda55b7086d3e5624e406c1cb9d025c030a

  • C:\Users\Admin\AppData\Local\Temp\2qpvk4og.cmdline

    Filesize

    266B

    MD5

    7627fc9ecce15c45f22084ec608fd5ac

    SHA1

    f9095500314f7b7b952dbfbe7faa373dac177a77

    SHA256

    d83272ccd8186cf54b91ce976d07198369c626e9f2480caf0aa3b6e41d57e632

    SHA512

    583e559916abae93dd71558c18674d00a2a93960f0ed6b8289c99ae85cc2fefad411644d0a43163bf7c8d5ff3a7073501c66674228aa853138d04083863ed1cd

  • C:\Users\Admin\AppData\Local\Temp\RES8815.tmp

    Filesize

    1KB

    MD5

    3bd6514963f0fcf0c487f9d9f225d82f

    SHA1

    5bca21a15326d1eb187b7ed6a2cf35ab4d922c7a

    SHA256

    6ff20b0164df193e6d48c4795622981a98b2b620da05efe1ed569bcc10b53e4b

    SHA512

    e8c9fe19eafb096f6c46525742f601f7d864fdbad1c124f68a57dcd59cc942080a9bce3c09eae0f008eb2e896766f4faf71171a706ee8d1fa4adb65ed8671cc1

  • C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe

    Filesize

    78KB

    MD5

    537f4e615668f72f3ba9e2666c8bacb8

    SHA1

    04b72ec0d7d4de664fb7f1001ed5f57ed68f872e

    SHA256

    9538d8735eecfb328bd36b422d96cb62903acdcf06a8ca4cc64e5f1196926d7f

    SHA512

    4ebc186c0162468c48a750d586e241b08d890feee7123ae680f3d8bba86dae4cb46c5987cf09d89c861ad5d1439ca6671348e1c6c891636318c3f0005990bf7e

  • C:\Users\Admin\AppData\Local\Temp\vbc8814.tmp

    Filesize

    660B

    MD5

    b8a7846ae295252d08e307b9743d3746

    SHA1

    e2728d0edea6606f1d4cbf13b32f4ff8a53680d2

    SHA256

    d91256809f1b75455b827d800626f372950fcf39407990c9641bec3374b73b7d

    SHA512

    49d200610ed99921d58f7f0cd69ac6b08bb6d7f5402d7e761f67a323515a718dd0f133c3b84224d499db437e85463a580fc25397772575942450daabe20dbea9

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/2648-0-0x0000000074051000-0x0000000074052000-memory.dmp

    Filesize

    4KB

  • memory/2648-1-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-2-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-24-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-8-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2760-18-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.