Overview

overview

10

Static

static

3

61c02081da...59.exe

windows7-x64

10

61c02081da...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe

  • Size

    78KB

  • MD5

    e4897a8be1034d542242980607e943bf

  • SHA1

    e36b731bcce9b5a998c5f6977171b53941eb4441

  • SHA256

    61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659

  • SHA512

    5d0fed165da8812f4c6320591826bcffd5120c83bec0e4e3e9c8905b5c3f171e20b1ba15af83493e5774e65cb2fff6f555da89f6ee9728683cd90d0186350933

  • SSDEEP

    1536:lWV58BXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6G9/kD1u5:lWV58BSyRxvhTzXPvCbW2UO9/N

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
    "C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ygus6to.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF356796919F8463989E984309CECBD4B.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3908
    • C:\Users\Admin\AppData\Local\Temp\tmpBA67.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBA67.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9ygus6to.0.vb
    Filesize

    14KB

    MD5

    e0c7a3b94376287d2b82f1cd27fbfd3b

    SHA1

    c774388d4dedab5d1afc524be58d1a2b34ee23c9

    SHA256

    eab52ff782b5d61745d952e58c836ac579e600f3f14bb74ba3f225de9b7c967b

    SHA512

    1f828de93ae751b3d221ce6b9e24b9ffccce4c895443ff0775fa6621eb2fb05657e40c9593a649d4f18ba0a110329fd8d1d713d55e6ef7a90f6d3d8e6f4052cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9ygus6to.cmdline
    Filesize

    266B

    MD5

    35d8a5008b2b8c2b9c7d91d8c5f271dc

    SHA1

    5ae659bb4d6072e99631dc89c012edd4e08fa7e4

    SHA256

    4945070419d6be1a3d6127b064df9f564789e85f1ebeddc901cd1c07c9a49cd6

    SHA512

    9b6b96217becd17e64bfd44d7208e1a04fb8962f7c6a13469d46d5cddc36cd73ed9d897d35405abc488c6236c7b115a561c5153bb92bc4a6f0b8ee748a7a3a43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESBB61.tmp
    Filesize

    1KB

    MD5

    99e1c28d9feafc06930e10769122038a

    SHA1

    e76c57c32ab730eda5e5efcbef4f775819e77ccf

    SHA256

    c2a3d42491ac2a5401be2e1e325bb34b94b32f46c48ee6a0fae25f81ab8a64f5

    SHA512

    08ffee084c60c47b9f15a3eb5b8748c9a3b93a1d122a7b64c739d13c5bedf37f0b04f85ffcbabf4b1d61b0b739d7bca234773ab73a3aa0a328960e18fa957e16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBA67.tmp.exe
    Filesize

    78KB

    MD5

    b958828062908cce07eda08958c0c7c0

    SHA1

    ffe9197f8435075b7740927f9be6bde8974352d9

    SHA256

    1a1f10f0a2e6842a4eae82e7713e1a88890743e057bf693d314947bd615a86ec

    SHA512

    6414477fe32a5f2d955be9290fa3f773baec5a69a622c092b5c2417c6e01af35d79e8616390911d376d840e0755353e7a9964eefa9d695dd3b0271826928b880

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcF356796919F8463989E984309CECBD4B.TMP
    Filesize

    660B

    MD5

    c2cc8996b1b84151ee90c1148045376c

    SHA1

    6863f314d6765dd116b5def08a0aaa2bbe4475f9

    SHA256

    bc401207b19a4e3c4a3312c0a0b805f632469d8b89a08148e0d054f3b0919287

    SHA512

    1f12c9eab3cc3d83adc64b20c385d83bc095a9429bfd95777bb8d358a7a8a35e7c9a1d3e56db9c097782527dd448dccdcedb9a0bf93b6f5ad901a5a8190f1c4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

    Download Submit

  • memory/116-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/116-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/116-0-0x0000000075522000-0x0000000075523000-memory.dmp

    Filesize

    4KB

    Download

  • memory/116-22-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/820-23-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/820-24-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/820-26-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/820-27-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/820-28-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4588-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4588-8-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

    Download