Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
Resource
win10v2004-20241007-en
General
-
Target
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
-
Size
78KB
-
MD5
2664fd9c6f4053b0d0d49e77f0b73687
-
SHA1
30897c778058572cbd9e6c9db62db4bddf0ed9f9
-
SHA256
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd
-
SHA512
6b3ac294048242896e8e55eeee1ab7ba53cec80a7444a99271945d98265143e5c6da16c8ee2d144f25f70f931665873ed0ce31c94286a927468fd7a9ed7e83e6
-
SSDEEP
1536:XXgy5jPvZv0kH9gDDtWzYCnJPeoYrGQtN6I9/W1DR:gy5jPl0Y9MDYrm7n9/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2268 tmpA60F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpA60F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA60F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe Token: SeDebugPrivilege 2268 tmpA60F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2532 wrote to memory of 1864 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 30 PID 2532 wrote to memory of 1864 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 30 PID 2532 wrote to memory of 1864 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 30 PID 2532 wrote to memory of 1864 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 30 PID 1864 wrote to memory of 1516 1864 vbc.exe 32 PID 1864 wrote to memory of 1516 1864 vbc.exe 32 PID 1864 wrote to memory of 1516 1864 vbc.exe 32 PID 1864 wrote to memory of 1516 1864 vbc.exe 32 PID 2532 wrote to memory of 2268 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 33 PID 2532 wrote to memory of 2268 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 33 PID 2532 wrote to memory of 2268 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 33 PID 2532 wrote to memory of 2268 2532 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe"C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ixdhvavp.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6DA.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA60F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA60F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51d2196a723d3113f04c31323da9f76e3
SHA154db46468c4371048926e350c80d725cd14e060f
SHA2560787a8865b9c82880b0a684d87558942ffaed1a40d713ebdd1f6ffc0449133ad
SHA512e1e450e3237a71649ab0df1d8441dc78fb944dd4458b409542476f4a8e79becb5087c0c48049222a70be4fc40ed02c986e1296fa8569418f0895504ee378b02b
-
Filesize
14KB
MD59396ee9144b447642d2cf2054d979570
SHA1160416d9aea22d503619e89ff36cced5641005aa
SHA2560f64dfa5a3c0fee7ff481f61ac6e505be1fdd65a8b2de8d26558ed7817fe4c98
SHA5125c9ab7d302b0c41a3126bd06451563056b58852a9a6885f0b54f0dd7ff0440aca9b8075f77c29c9cf6ae3afb95c9966277d43c5c8f22c1ef2f8d81df27341710
-
Filesize
266B
MD51635160866bdacf0244c9fa90d47553f
SHA18b07e786edbf884501918bb60c3c396e379f4ea8
SHA25664631bd5455187942759e04cfb1f50f5cd37489834422d7ae4436c3485237336
SHA51247037b574ec6691cea0322b3461c067403d40572ce1a2ed92a33072e56084eaaa0da393a14ea084ceafaf78994ed0d76300bb7530f871b2e790ed19a932bea5a
-
Filesize
78KB
MD5c30328b9fb1ac5faa3aa448248a354b8
SHA195659fc422f9c173bcc70b3a90639bad68b0ed50
SHA256e83cea7aaf4a71a7f99f4c6d49805f4b2f076d5f6640d3e4b87f7d81039eb9c2
SHA512675c8613df85b839404d973fe2b777dbbd7a38771efd38315a73e9311033b9acad3210e729ff16baf04aa26a777a08cda2d3d7b14c4e34abfeca9b77934f405e
-
Filesize
660B
MD5a15fa1db74b269090e0f77247fb9e6f8
SHA1d79c87f5a39afe4526b2ad6859b701bc0fc57595
SHA256bd4bbb26085dd64f9a528d4eb914ba9a5ffe790b5b2256ca0fd9c98a89fe5efb
SHA5124a8403c8fd506093a8c9064bc15c4d2e81d7172e18e27813e7084821a5e1f80888fdfad53e3af404e95ddb96fa72d335f4e9675921898884a32436e1917d2c92
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d