Overview

overview

10

Static

static

3

d04adb63db...9N.exe

windows7-x64

7

d04adb63db...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d04adb63db82c68e7c4b1d0f3f51e54b8e41da6be73942c896b19e311f8bd029N.exe

  • Size

    78KB

  • MD5

    51b711d83f597131425da93699d01f50

  • SHA1

    8a218faaded71d9e01cb55645d6e3fb2a8e235c7

  • SHA256

    d04adb63db82c68e7c4b1d0f3f51e54b8e41da6be73942c896b19e311f8bd029

  • SHA512

    cce4a14e103b17834b3fc7dfa4a9a9df420293d30567108e6f9b5dcec5b06545a77182bdb336e256c6f4a5ae8a27aa9093e29e144a89c9d209fd4f92f6c6055d

  • SSDEEP

    1536:oPCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQto9/u1xg:oPCHs3xSyRxvY3md+dWWZyo9/l

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d04adb63db82c68e7c4b1d0f3f51e54b8e41da6be73942c896b19e311f8bd029N.exe
    "C:\Users\Admin\AppData\Local\Temp\d04adb63db82c68e7c4b1d0f3f51e54b8e41da6be73942c896b19e311f8bd029N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\56xqclgw.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7478BEF5F7E940B8B49455848ABEE5E1.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4084
    • C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d04adb63db82c68e7c4b1d0f3f51e54b8e41da6be73942c896b19e311f8bd029N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\56xqclgw.0.vb
    Filesize

    15KB

    MD5

    e026c21708bccc0b5e5163d063acb3d5

    SHA1

    42dcf0b38cc7b282297ad177014bd76ea1d84624

    SHA256

    f0089ca5c89e77a99ba3849bede9b52f616c08c98993d6c93651e114f253cb7a

    SHA512

    843a81023a537580afbf928ed7529d84c4f8c2ca0a9a5b8c70f748c86a6f20b5dc7a4dc05a1505fff3cdfff492ff53ce265c0c67cd15157aab121cca48858929

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\56xqclgw.cmdline
    Filesize

    266B

    MD5

    21a356777e0f874e40bc3217f8eb4877

    SHA1

    425dadc6dff58c92fdcf3e94cfe3b1440e7f1164

    SHA256

    3ac57040afd75346584490ceb46041606cceb9af9e4c7b5f9943eb85f14e5da8

    SHA512

    3496e27430c9b0a5ad904907c0d7c56ce8b174bf54a2270ca93cbc754db0fff781fb6d74d9bcd052b0dcfa728607c4601a5a298e7ed50e1e2c5c0a0f855e27ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESBC3B.tmp
    Filesize

    1KB

    MD5

    b1e9a241bf65480e8b40c6749ef6ff86

    SHA1

    8595c3ad6943ef8003b4fd271db62c73863aff41

    SHA256

    12866aa53fa76b88fbdd89e367b7424585eefbbb2eeabc32e75395fc72ca374b

    SHA512

    5114ae79e1c22c27485310b8ed972c53bd342955514f56d576191eff8fcc58b78f20e7bd07efa5683dede5a020b97dc16f717f7f5fa8e6309de76babe4d401f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp.exe
    Filesize

    78KB

    MD5

    a4e518b57fe29529c2278d25996a6277

    SHA1

    8149d1ca75f43b71f2839f76f11964ebd9d443cb

    SHA256

    d9f298ca7c7e281f6e531f32bd84d2daa9f83418dd736bb51ab536e2f560562d

    SHA512

    db65a874ceb89492aeca1e762083694fcfc8dec1d689da283f08fdbddeccb0cbe922b85cd331a168af438cc00921f1eec88a6310f254f8f656b5e040d52b7e48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc7478BEF5F7E940B8B49455848ABEE5E1.TMP
    Filesize

    660B

    MD5

    37f662b20b36e1792d605e8a487aa687

    SHA1

    7dfe53f8e9c43d7143125c8b3632989c5092049c

    SHA256

    cc8d0a36337d7347062f92ecd0f0b41e5f245c027dfa411456c19ba7fca7384b

    SHA512

    db803e89e2125f9e9602e5909c5dfe64a79587b9b0c8d9f74cb88684d6fc65098aadc3f667f94553700d22c328f25cbd0f150bb050732fd39abd30ab8c987284

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    4f0e8cf79edb6cd381474b21cabfdf4a

    SHA1

    7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

    SHA256

    e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

    SHA512

    2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

    Download Submit

  • memory/3292-22-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3292-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3292-1-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3292-2-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3468-9-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3468-18-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-24-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-23-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-26-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-27-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-28-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-29-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4640-30-0x00000000750E0000-0x0000000075691000-memory.dmp

    Filesize

    5.7MB

    Download