Analysis
-
max time kernel
99s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 15:22
Static task
static1
Behavioral task
behavioral1
Sample
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
Resource
win10v2004-20241007-en
General
-
Target
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
-
Size
78KB
-
MD5
2315b763266a9f2cb9e40548cdfc29db
-
SHA1
120fd5a2436528e2f7b40738faf41b0d2e5bf722
-
SHA256
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f
-
SHA512
d821b4da41a71e75eca97a2511d51079c46cbb58e1a659b6b70ee874469fdf660edea48df6f6293675b9f47bb664c5f02576d73d73adbced1cae1cb62e533fb9
-
SSDEEP
1536:158Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6E9/Yx1eEE:158yn7N041Qqhg89/mE
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2964 tmp9EAF.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp9EAF.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9EAF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe Token: SeDebugPrivilege 2964 tmp9EAF.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1236 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 30 PID 1688 wrote to memory of 1236 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 30 PID 1688 wrote to memory of 1236 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 30 PID 1688 wrote to memory of 1236 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 30 PID 1236 wrote to memory of 2220 1236 vbc.exe 32 PID 1236 wrote to memory of 2220 1236 vbc.exe 32 PID 1236 wrote to memory of 2220 1236 vbc.exe 32 PID 1236 wrote to memory of 2220 1236 vbc.exe 32 PID 1688 wrote to memory of 2964 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 33 PID 1688 wrote to memory of 2964 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 33 PID 1688 wrote to memory of 2964 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 33 PID 1688 wrote to memory of 2964 1688 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe"C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1d96hfpv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA19C.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2220
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9EAF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9EAF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5db1c4b238ceed75ff8deafd23a6d5b96
SHA14cac6bad257e319d7591cd5092b69a8c45d30237
SHA256fe17fab9198e5b9a43b0ef3537264168ac1e1b2fecc9ec7659f860163cb9456e
SHA512c02813b07db4e53bc34625a06b935d88c1865571be64a5f359b47901bf1aaf942d513152c757373dd60e06d1f3c1468b6876a2d99ab0d33983f6aab0e011a417
-
Filesize
266B
MD5afb4f7bd44d7c6eb9e0b3d2e8b20e056
SHA1f31ffb25e3b363e4f0731e7be443c7dac657591e
SHA2560c1d82d7e2d413f61d657351e91897618606d0341b054b879bc7a08490b8344b
SHA5124e4103515652e1df4509630992ff712c0b43c60785d7ff4716464db4eeceb1fb03b393618b1bf03e1af3a7f6ce03485d0b7d026a9a1addacaedbebb520f38dd7
-
Filesize
1KB
MD51edbf5b9e51f7f78795c567664199434
SHA177d91b65dae0e97b0f5fa504c95235289ba05b5f
SHA25612b60bb8103690d957b5abb5940ef07b23081e4d3a824ee5457a9944a391bada
SHA5122559f1a664a945d9a72513f3f90c41730598f7572432c4d578a1203a6526b4341067eaa26ef213700ebabc777c878056a0283c7fbb8a5359c0c208a00979e139
-
Filesize
78KB
MD586363e8fb16ef2899ab1f4b7e2d50e13
SHA14fff84ee7d745902c3973a773c5bcb793c26e7dd
SHA2565e21c1d0eef0ca0b6a33b439004c233862c1ad48dadde72327f75ab11ae4035f
SHA5129c44405c3306e4bb600599f6c95372bf0ca15dd11dd8979e629a49f7d5b5b5104c60237fbdcb22b028e93927baddaebf7e93aacece2b1e2f148be448eb0372a4
-
Filesize
660B
MD50f70c9684df20c34eb386dabdcc20a8f
SHA16091ade4d683ee5a0df25abae1ba70bc128c3de1
SHA256c0c60739a069dff1cf34acb06147e2c53ba3157c2ab22b9872dcc51780fad025
SHA512eb7c24a7d6b2857f098e6f6ac57df5484e26ca7de0500e359f4be8d1cb67663c9951495bed1fd0e2b8ed7366baa063b405cb4f246eca099f0d8d2bb88f02ed21
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65