Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/01/2025, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
Resource
win10v2004-20241007-en
General
-
Target
068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
-
Size
78KB
-
MD5
dac11fc0102d2da445dd5d2a31c73d6b
-
SHA1
3df37dc3d98d3a28446d742ec2123a5ba7c962e4
-
SHA256
068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661
-
SHA512
e017b2e10686f6f99db49f7e6558ffd3f812430ee7ad92531d065710589231a7790ed89161aa5b78a5fc68af5a6d1433ca5bb81bbb6b1dfc27849d717145d003
-
SSDEEP
1536:o5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtM639/ME1D2:o5jS+E2EwR4uY41HyvYJ9/Mb
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2784 tmpB2AC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpB2AC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB2AC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe Token: SeDebugPrivilege 2784 tmpB2AC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2080 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 30 PID 2096 wrote to memory of 2080 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 30 PID 2096 wrote to memory of 2080 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 30 PID 2096 wrote to memory of 2080 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 30 PID 2080 wrote to memory of 2460 2080 vbc.exe 32 PID 2080 wrote to memory of 2460 2080 vbc.exe 32 PID 2080 wrote to memory of 2460 2080 vbc.exe 32 PID 2080 wrote to memory of 2460 2080 vbc.exe 32 PID 2096 wrote to memory of 2784 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 33 PID 2096 wrote to memory of 2784 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 33 PID 2096 wrote to memory of 2784 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 33 PID 2096 wrote to memory of 2784 2096 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe"C:\Users\Admin\AppData\Local\Temp\068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zcpfb9c4.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB359.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB358.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB2AC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB2AC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD505e99e36d7dbd7a4bf366fabb374f598
SHA12caa22dd519058f32dab50284961fed3df55e3ed
SHA256944f72915da62cbccd74ecb1318420c9e6dd43387b6ba6e2a466f1e138fa8ed5
SHA512ef477b6cb98447552a848202ab8697143a3bdba1e14ef67931d50b4943e4d3c24ff10df0bed390d71a68b468d8d49d0c8eed8123d1e9aa5af789a1d9a6aa75ff
-
Filesize
78KB
MD50ed0c99a511bb1759d4fd1887710b0c0
SHA15b906776ef158600b7d011153bf4771d3ce7e47d
SHA25651c52a18ca9cf9682331c991601dde5face8ec17c131d0dbaebd4bbf7d790bff
SHA51212b1a145f74aba2be1f705acb30b6cb1fce9c9922ec4c3da94cd1be19ea1c2cc6f7cb0243c27160330cb3dae1ba7c4e6e89cbb3bb805ba4aaf0ac5e55e836c19
-
Filesize
660B
MD50938f9d3ec1fbddb56ece2d806a63a3b
SHA1a40888a0bb0122a0698eaa1e7bcaa0f8b54f231d
SHA2561824e023ba07ab3ca02dcd9e11e71e1bf65e690692ee46ea988ba6ba96b0f190
SHA512f73a7068df215a1e533bb47999b4b4b1a01c9b6b8c3cca8e15c3ac7a9662547067c57f2586065e5274119fe0cad06c652d0f233047bf7b4ecbe37f53d45ef90f
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
Filesize
14KB
MD5dd78dbfcc8952718973573e6eb3bffa3
SHA1b5ba571f4eb7be86f515eb18627270cc7f8de825
SHA256edcfb8e6ee1123d176b0811a669536f7570a001137c7f8edf8856b45055ee973
SHA5128fc88c05b6845a76116a828a3bf641844984e3113ded6d88bb5ae41fd886a2bfe8173a82f3238fdfdc3a254cec829d8484ea8d3884420cffb751fa1f68cce5a1
-
Filesize
266B
MD5766a9126dabc1a9088db440803c57278
SHA10c2e483ffa56dae19956afaa24ce2a849db53372
SHA256f416c47b1858e93644a5a77f81708ea36798bd9aac3ca61e6cbbd5280361eb12
SHA512bf1f742042ed7553446b5e012f730063e8e22b3fb4c6f7061f681b9a2b5ba61fc760d5c1360695d7b8ca0f170a5943c27995d164da9a7a147fca3ecf4b213507