Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 04:26

General

  • Target

    a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe

  • Size

    78KB

  • MD5

    c01acfbac16f7b0dfe65e4e0de987730

  • SHA1

    3aa00e3cccda677af540aa2cc7e2e55832ef0c0f

  • SHA256

    a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225

  • SHA512

    df7a34b01731aa452b1d68b6ece3f69c643eb3ea741f8336aecf24d56c36749d3218d8c92c3da3b737aca94605ccb00081a11b03750d08ca06657fe1b1995d81

  • SSDEEP

    1536:8StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQte79/x1qw:8StHsh/l0Y9MDYrm7e79/D

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
    "C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvrgyex1.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3CC.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1160
    • C:\Users\Admin\AppData\Local\Temp\tmpC2A3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC2A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp

    Filesize

    1KB

    MD5

    6882747a039ef311f987af100fcb0984

    SHA1

    a0d8518a7ee6075aa7eadc4e8d0e1432ebabdfa9

    SHA256

    353ff7d2739b2d3758f277e46cdc9982243839387550f17d5345d5fe25bd2849

    SHA512

    462efb804f53558ba899b5dc72a9c953d2d00cbd46645283b2ec3e9582f013ca9a1fd5a5de4b9e0c468b586338d4029a9a6095f1f520c588aea8e4f930b8ba10

  • C:\Users\Admin\AppData\Local\Temp\tmpC2A3.tmp.exe

    Filesize

    78KB

    MD5

    0df5a462b71dd11ffbd4261f5dce541b

    SHA1

    24d9d41d5ed1b48ac5efdb3beba470514fb7f0f7

    SHA256

    fd3187f08751129bcab8373d6cb3762fd2f3e94b8e940c91fdd15d94091e2073

    SHA512

    149afbdfb87ba2921907e75de1aa85193520cbcd22be42e3c537d90e346f204d7c78fbd2568fd1ec2180077c48552a1ca7573309f907045b72f4b21d2348aa1c

  • C:\Users\Admin\AppData\Local\Temp\vbcC3CC.tmp

    Filesize

    660B

    MD5

    3ea3bde4b4d33986f1bf4852ddf49005

    SHA1

    94774ac2227ff963d952597b054fe88c9c19e43a

    SHA256

    990df38f64ecd090380ebf103eae0881fec91f833a9f9a15d3f5e1406a8395e4

    SHA512

    c801b0bd7f181561b33b278b3e7d91d837f980d4bbfacd3e08ccf74ec7a5c7225335a6587e4abf6c280bb2ed68dc9950d230520af091994bd9e5af99bf5eb69e

  • C:\Users\Admin\AppData\Local\Temp\vvrgyex1.0.vb

    Filesize

    15KB

    MD5

    033b26ab51ab8f6ea1c577493fd1d901

    SHA1

    14f5fcc45499817b7ab3676a96cefc66d9168a0b

    SHA256

    94d128c5f330e7dbe6c571191814d7c5870f214c61d086210538863b8123f82e

    SHA512

    176a9eda18d047b2f3850a2869402557de6b4bcf73055825c3657e3d05d28c73a57fe78fb2296ba95c83ff101380d348bd5e48e3d6f868076670868ff0834514

  • C:\Users\Admin\AppData\Local\Temp\vvrgyex1.cmdline

    Filesize

    266B

    MD5

    fea7b03a91a920bfad508b7f0ed2c5ac

    SHA1

    fc741f7a20322ebe371ed5b22c3f9e1e0ccffc7c

    SHA256

    b9f319c2b90ceee615b3d60f47040721b69a0895c7aab0beedc5d5b674765b72

    SHA512

    8d12c1df35a49ac31a5dfe6e14fde31768fb321d131bd4035284d7af781957ab6de28cee117416cab907d9dc37f23dba9d6a9807b51e289b7c2235d91bbba038

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/1476-8-0x0000000074240000-0x00000000747EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1476-18-0x0000000074240000-0x00000000747EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1812-0-0x0000000074241000-0x0000000074242000-memory.dmp

    Filesize

    4KB

  • memory/1812-1-0x0000000074240000-0x00000000747EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1812-6-0x0000000074240000-0x00000000747EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1812-24-0x0000000074240000-0x00000000747EB000-memory.dmp

    Filesize

    5.7MB