Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 11:46
Static task
static1
Behavioral task
behavioral1
Sample
18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe
Resource
win10v2004-20241007-en
General
-
Target
18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe
-
Size
78KB
-
MD5
901fe0ad6733008a126557eafaea909c
-
SHA1
2ae959d49dd257bd04e5049d90a67079674cac3f
-
SHA256
18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353
-
SHA512
1010d1cad8fda23b8bad38f8dd6620eaa9e9dd9b8a7605978ba9e67eef81bb8de772c052c849ad67d8fd96177c6218340376b80377daec93cc55e1749183921a
-
SSDEEP
1536:IHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtee9/7h1zHD:IHFo53Ln7N041Qqhgee9/bD
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2924 tmpAB6C.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpAB6C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAB6C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe Token: SeDebugPrivilege 2924 tmpAB6C.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1916 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 30 PID 2504 wrote to memory of 1916 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 30 PID 2504 wrote to memory of 1916 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 30 PID 2504 wrote to memory of 1916 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 30 PID 1916 wrote to memory of 2464 1916 vbc.exe 32 PID 1916 wrote to memory of 2464 1916 vbc.exe 32 PID 1916 wrote to memory of 2464 1916 vbc.exe 32 PID 1916 wrote to memory of 2464 1916 vbc.exe 32 PID 2504 wrote to memory of 2924 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 33 PID 2504 wrote to memory of 2924 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 33 PID 2504 wrote to memory of 2924 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 33 PID 2504 wrote to memory of 2924 2504 18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe"C:\Users\Admin\AppData\Local\Temp\18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxnr7ozk.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC75.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAB6C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAB6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\18193716581e6e1a8c8b0988a51a4bbdf2df5a4c3fcaa675033f68341a424353.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528f63e64272cd5e074207afb3feb8dc3
SHA1d47690954c35fa20dd0ecc102882ce7eb6ebe20e
SHA256b6e39654f7b05c36bf87cb34706901c5ca2c46f8e5b11335db3a4318c7555997
SHA51241c69d115fb9e4438ce658b61154e603e2fef036f6cbeaa5eba5f5e71e807ff3dd5ce7bea884d683a1b537123e566276a82d4194046a922e8a04301b4a3b171b
-
Filesize
15KB
MD58fdfcd4020a9c03493268292582d162e
SHA13bd391a9809f717c2329631b8e3edec29d91c1ff
SHA256c37869b17150607457a2915d56edb2424141b9d2b0b96223a5df71e4f2a928c1
SHA5124b8e2e7db7daf0c6dd2e0d3f247c2c1aa850802f71bcce10aa670c869cfc49334c549bb70b6310083b6eb73a0be6bd82d9fb0beca4240c729ccf52b31729daa4
-
Filesize
266B
MD55975edb1b4ed3c478f1f63355d0e3a15
SHA17cc4938a3da682223d8913a56016f9bf1edc43ee
SHA256e9c5354f244db3d15d92137afba56049b481290d2a850b4735d38f3cf582432b
SHA512fc185ec7fdfb5c75689271ff757c8fc16475f77ac4ace993a5a3b86ebebd279c75bfd3b4d5ec6f863622822d8f476861b0215217fa8040a8949a545a639d54b0
-
Filesize
78KB
MD58718d61b7849222f818a9d36d3e083a5
SHA1461cea206ee835e8c8b6dd3442fa85ae16eae036
SHA256ea70f59185813164218f2645781dc46b392d1db13c6ea41b2019b8e62d471521
SHA5124d4800d7d96489024c854ec448b4b08cc797b7dc7e31d806ce1c2bcd237d445663b5ea53df2393d8e055156e4b0c74416e55f39743e18bd82f0af606657d61cc
-
Filesize
660B
MD5ccd1fc9714b7e91d52f916b127745a3a
SHA173c2eb3eae5b4197d7ed8a395c1654e35309324f
SHA256c5a6e4edadcc54b3f928b0c6f327ea70832ece58891934df9fb65792d9bb7107
SHA5123e3b346081ea5795a0cabdeb30d7948840cbc063a36f9ca2caabd275a3965039fb12fdf2fc159ff08baa4bcd15d24459761887eed5633cf419231ad90e0e4306
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65