Analysis

  • max time kernel
    99s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 15:22

General

  • Target

    89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe

  • Size

    78KB

  • MD5

    2315b763266a9f2cb9e40548cdfc29db

  • SHA1

    120fd5a2436528e2f7b40738faf41b0d2e5bf722

  • SHA256

    89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f

  • SHA512

    d821b4da41a71e75eca97a2511d51079c46cbb58e1a659b6b70ee874469fdf660edea48df6f6293675b9f47bb664c5f02576d73d73adbced1cae1cb62e533fb9

  • SSDEEP

    1536:158Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6E9/Yx1eEE:158yn7N041Qqhg89/mE

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
    "C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1d96hfpv.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA19C.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2220
    • C:\Users\Admin\AppData\Local\Temp\tmp9EAF.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9EAF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1d96hfpv.0.vb

    Filesize

    14KB

    MD5

    db1c4b238ceed75ff8deafd23a6d5b96

    SHA1

    4cac6bad257e319d7591cd5092b69a8c45d30237

    SHA256

    fe17fab9198e5b9a43b0ef3537264168ac1e1b2fecc9ec7659f860163cb9456e

    SHA512

    c02813b07db4e53bc34625a06b935d88c1865571be64a5f359b47901bf1aaf942d513152c757373dd60e06d1f3c1468b6876a2d99ab0d33983f6aab0e011a417

  • C:\Users\Admin\AppData\Local\Temp\1d96hfpv.cmdline

    Filesize

    266B

    MD5

    afb4f7bd44d7c6eb9e0b3d2e8b20e056

    SHA1

    f31ffb25e3b363e4f0731e7be443c7dac657591e

    SHA256

    0c1d82d7e2d413f61d657351e91897618606d0341b054b879bc7a08490b8344b

    SHA512

    4e4103515652e1df4509630992ff712c0b43c60785d7ff4716464db4eeceb1fb03b393618b1bf03e1af3a7f6ce03485d0b7d026a9a1addacaedbebb520f38dd7

  • C:\Users\Admin\AppData\Local\Temp\RESA19D.tmp

    Filesize

    1KB

    MD5

    1edbf5b9e51f7f78795c567664199434

    SHA1

    77d91b65dae0e97b0f5fa504c95235289ba05b5f

    SHA256

    12b60bb8103690d957b5abb5940ef07b23081e4d3a824ee5457a9944a391bada

    SHA512

    2559f1a664a945d9a72513f3f90c41730598f7572432c4d578a1203a6526b4341067eaa26ef213700ebabc777c878056a0283c7fbb8a5359c0c208a00979e139

  • C:\Users\Admin\AppData\Local\Temp\tmp9EAF.tmp.exe

    Filesize

    78KB

    MD5

    86363e8fb16ef2899ab1f4b7e2d50e13

    SHA1

    4fff84ee7d745902c3973a773c5bcb793c26e7dd

    SHA256

    5e21c1d0eef0ca0b6a33b439004c233862c1ad48dadde72327f75ab11ae4035f

    SHA512

    9c44405c3306e4bb600599f6c95372bf0ca15dd11dd8979e629a49f7d5b5b5104c60237fbdcb22b028e93927baddaebf7e93aacece2b1e2f148be448eb0372a4

  • C:\Users\Admin\AppData\Local\Temp\vbcA19C.tmp

    Filesize

    660B

    MD5

    0f70c9684df20c34eb386dabdcc20a8f

    SHA1

    6091ade4d683ee5a0df25abae1ba70bc128c3de1

    SHA256

    c0c60739a069dff1cf34acb06147e2c53ba3157c2ab22b9872dcc51780fad025

    SHA512

    eb7c24a7d6b2857f098e6f6ac57df5484e26ca7de0500e359f4be8d1cb67663c9951495bed1fd0e2b8ed7366baa063b405cb4f246eca099f0d8d2bb88f02ed21

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/1236-8-0x0000000074F00000-0x00000000754AB000-memory.dmp

    Filesize

    5.7MB

  • memory/1236-18-0x0000000074F00000-0x00000000754AB000-memory.dmp

    Filesize

    5.7MB

  • memory/1688-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

    Filesize

    4KB

  • memory/1688-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

    Filesize

    5.7MB

  • memory/1688-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

    Filesize

    5.7MB

  • memory/1688-24-0x0000000074F00000-0x00000000754AB000-memory.dmp

    Filesize

    5.7MB