Overview

overview

10

Static

static

3

6702250dea...2N.exe

windows7-x64

10

6702250dea...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6702250deae17b952a1f0605158f90219524f62d28042f1db0dee7af7dd02642N.exe

  • Size

    78KB

  • MD5

    d80ac5925e3cb10492059666bd61ed80

  • SHA1

    49a0c2bb7410ec9b91b816473cbb3da854bc1661

  • SHA256

    6702250deae17b952a1f0605158f90219524f62d28042f1db0dee7af7dd02642

  • SHA512

    8f1c40e0b0508c7383b535f4259d86e585e3be3302c86156c052a9bea8bc71e9f724bfcce9ac7f5fe17389d87a950113aa758086bf35f92bb5b7d49fd8ac5c58

  • SSDEEP

    1536:nPWV5Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6h9/S1VW:nPWV5Yn7N041Qqhgi9//

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6702250deae17b952a1f0605158f90219524f62d28042f1db0dee7af7dd02642N.exe
    "C:\Users\Admin\AppData\Local\Temp\6702250deae17b952a1f0605158f90219524f62d28042f1db0dee7af7dd02642N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n7kpmg4t.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC321.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FD67B3A75514BC08A61191E70E618E0.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1152
    • C:\Users\Admin\AppData\Local\Temp\tmpC17B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC17B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6702250deae17b952a1f0605158f90219524f62d28042f1db0dee7af7dd02642N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC321.tmp
    Filesize

    1KB

    MD5

    371841cc1c543597d33a6d201a3b2e3b

    SHA1

    567c799628594aef902f8d78f9f7fce37b11cab1

    SHA256

    cf288ab8791d45215f7700e45f31c10576c325947c904c0c5f0ddf111a2547f9

    SHA512

    fff8f6ea1c743104fdfa2fc78b06b3367f06a9a64bcb4ce4364e68387420a6fb39f943a94e86f3006050a8486bc8af9292fa8755b61755fe1168dd1dfb29a90b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\n7kpmg4t.0.vb
    Filesize

    14KB

    MD5

    8607717ecb5ed28537feaf0913d3820c

    SHA1

    721f5b703ac4f57582be27e16a20fa2e08c59853

    SHA256

    302f9a8110206c682ce8a7cf38acf3e2252a33fc3fcdd1c9bc7d6aade042c7d0

    SHA512

    fe3b54ad4163cb42957781a4aa666ebd02cb2b7d9e709a556e260f38ebf2e84e992279053629fca07b3d5703930cfa648e0829556863dcafb7d70009d20f7ab0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\n7kpmg4t.cmdline
    Filesize

    266B

    MD5

    b10f40f117d3f6d2c9ce58cba1001bc8

    SHA1

    0908c4e148e1d66cf459fe292853579d5a53513d

    SHA256

    1f1ff14af713f49658f98bac6e231b8a1654988db272d3167fbe385521937822

    SHA512

    c2c0ad39fd5567be0b41c19e3bcaa663b7d9d3528e9f92c1ba7940de41e475e7662d3b39e8a54d3e3205c11a322948d04dcba68ea9356a0f74d5a43f713afcd1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC17B.tmp.exe
    Filesize

    78KB

    MD5

    fa1608079c9f97818ecdaae8c2c1675f

    SHA1

    60bec68a8fd9cf75ac94f37dfb1b55389be1ca99

    SHA256

    8869b8bcfefd5dfc29d669b693306c1bf784fab2f4432231a64ce4d4c0442632

    SHA512

    20055e6f89acd6af9bcf3aa98953440f9dae7214b92763678d455b0861f505b2a0fffc9dba9137b331c03ff6e1df9cdba4342054369446d2769e292b7a8714d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc9FD67B3A75514BC08A61191E70E618E0.TMP
    Filesize

    660B

    MD5

    6bf5daeb4685bdbb6dbd75fecbdec300

    SHA1

    4ca1b923cbc3e7024107dde17bb103511b3a242c

    SHA256

    bef03d9381bd55b2f6a52bfcb2fd718184a95b246fee40c8dbd7fbc8c45714eb

    SHA512

    88ebf1cd115a5b38a2eaf6b1770401cd39567386ec12e73733e3a1dc5a270ff8679ed6744c525f35cb36671bf8d45a85a9182cae1176df5f0a191c966f700692

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/2636-25-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2636-24-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2636-23-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2636-27-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2636-28-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2636-29-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3608-18-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3608-9-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4940-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4940-22-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4940-1-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4940-2-0x00000000751D0000-0x0000000075781000-memory.dmp

    Filesize

    5.7MB

    Download