Analysis

  • max time kernel
    130s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 01:38

General

  • Target

    a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe

  • Size

    78KB

  • MD5

    2664fd9c6f4053b0d0d49e77f0b73687

  • SHA1

    30897c778058572cbd9e6c9db62db4bddf0ed9f9

  • SHA256

    a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd

  • SHA512

    6b3ac294048242896e8e55eeee1ab7ba53cec80a7444a99271945d98265143e5c6da16c8ee2d144f25f70f931665873ed0ce31c94286a927468fd7a9ed7e83e6

  • SSDEEP

    1536:XXgy5jPvZv0kH9gDDtWzYCnJPeoYrGQtN6I9/W1DR:gy5jPl0Y9MDYrm7n9/2

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
    "C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ixdhvavp.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6DA.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1516
    • C:\Users\Admin\AppData\Local\Temp\tmpA60F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA60F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA6DB.tmp

    Filesize

    1KB

    MD5

    1d2196a723d3113f04c31323da9f76e3

    SHA1

    54db46468c4371048926e350c80d725cd14e060f

    SHA256

    0787a8865b9c82880b0a684d87558942ffaed1a40d713ebdd1f6ffc0449133ad

    SHA512

    e1e450e3237a71649ab0df1d8441dc78fb944dd4458b409542476f4a8e79becb5087c0c48049222a70be4fc40ed02c986e1296fa8569418f0895504ee378b02b

  • C:\Users\Admin\AppData\Local\Temp\ixdhvavp.0.vb

    Filesize

    14KB

    MD5

    9396ee9144b447642d2cf2054d979570

    SHA1

    160416d9aea22d503619e89ff36cced5641005aa

    SHA256

    0f64dfa5a3c0fee7ff481f61ac6e505be1fdd65a8b2de8d26558ed7817fe4c98

    SHA512

    5c9ab7d302b0c41a3126bd06451563056b58852a9a6885f0b54f0dd7ff0440aca9b8075f77c29c9cf6ae3afb95c9966277d43c5c8f22c1ef2f8d81df27341710

  • C:\Users\Admin\AppData\Local\Temp\ixdhvavp.cmdline

    Filesize

    266B

    MD5

    1635160866bdacf0244c9fa90d47553f

    SHA1

    8b07e786edbf884501918bb60c3c396e379f4ea8

    SHA256

    64631bd5455187942759e04cfb1f50f5cd37489834422d7ae4436c3485237336

    SHA512

    47037b574ec6691cea0322b3461c067403d40572ce1a2ed92a33072e56084eaaa0da393a14ea084ceafaf78994ed0d76300bb7530f871b2e790ed19a932bea5a

  • C:\Users\Admin\AppData\Local\Temp\tmpA60F.tmp.exe

    Filesize

    78KB

    MD5

    c30328b9fb1ac5faa3aa448248a354b8

    SHA1

    95659fc422f9c173bcc70b3a90639bad68b0ed50

    SHA256

    e83cea7aaf4a71a7f99f4c6d49805f4b2f076d5f6640d3e4b87f7d81039eb9c2

    SHA512

    675c8613df85b839404d973fe2b777dbbd7a38771efd38315a73e9311033b9acad3210e729ff16baf04aa26a777a08cda2d3d7b14c4e34abfeca9b77934f405e

  • C:\Users\Admin\AppData\Local\Temp\vbcA6DA.tmp

    Filesize

    660B

    MD5

    a15fa1db74b269090e0f77247fb9e6f8

    SHA1

    d79c87f5a39afe4526b2ad6859b701bc0fc57595

    SHA256

    bd4bbb26085dd64f9a528d4eb914ba9a5ffe790b5b2256ca0fd9c98a89fe5efb

    SHA512

    4a8403c8fd506093a8c9064bc15c4d2e81d7172e18e27813e7084821a5e1f80888fdfad53e3af404e95ddb96fa72d335f4e9675921898884a32436e1917d2c92

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/1864-8-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/1864-18-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2532-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

    Filesize

    4KB

  • memory/2532-1-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2532-3-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2532-24-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB