Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 04:26
Static task
static1
Behavioral task
behavioral1
Sample
a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
Resource
win10v2004-20241007-en
General
-
Target
a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
-
Size
78KB
-
MD5
c01acfbac16f7b0dfe65e4e0de987730
-
SHA1
3aa00e3cccda677af540aa2cc7e2e55832ef0c0f
-
SHA256
a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225
-
SHA512
df7a34b01731aa452b1d68b6ece3f69c643eb3ea741f8336aecf24d56c36749d3218d8c92c3da3b737aca94605ccb00081a11b03750d08ca06657fe1b1995d81
-
SSDEEP
1536:8StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQte79/x1qw:8StHsh/l0Y9MDYrm7e79/D
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1692 tmpC2A3.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpC2A3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC2A3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe Token: SeDebugPrivilege 1692 tmpC2A3.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1812 wrote to memory of 1476 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 30 PID 1812 wrote to memory of 1476 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 30 PID 1812 wrote to memory of 1476 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 30 PID 1812 wrote to memory of 1476 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 30 PID 1476 wrote to memory of 1160 1476 vbc.exe 32 PID 1476 wrote to memory of 1160 1476 vbc.exe 32 PID 1476 wrote to memory of 1160 1476 vbc.exe 32 PID 1476 wrote to memory of 1160 1476 vbc.exe 32 PID 1812 wrote to memory of 1692 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 33 PID 1812 wrote to memory of 1692 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 33 PID 1812 wrote to memory of 1692 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 33 PID 1812 wrote to memory of 1692 1812 a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe"C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvrgyex1.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3CC.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1160
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC2A3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC2A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56882747a039ef311f987af100fcb0984
SHA1a0d8518a7ee6075aa7eadc4e8d0e1432ebabdfa9
SHA256353ff7d2739b2d3758f277e46cdc9982243839387550f17d5345d5fe25bd2849
SHA512462efb804f53558ba899b5dc72a9c953d2d00cbd46645283b2ec3e9582f013ca9a1fd5a5de4b9e0c468b586338d4029a9a6095f1f520c588aea8e4f930b8ba10
-
Filesize
78KB
MD50df5a462b71dd11ffbd4261f5dce541b
SHA124d9d41d5ed1b48ac5efdb3beba470514fb7f0f7
SHA256fd3187f08751129bcab8373d6cb3762fd2f3e94b8e940c91fdd15d94091e2073
SHA512149afbdfb87ba2921907e75de1aa85193520cbcd22be42e3c537d90e346f204d7c78fbd2568fd1ec2180077c48552a1ca7573309f907045b72f4b21d2348aa1c
-
Filesize
660B
MD53ea3bde4b4d33986f1bf4852ddf49005
SHA194774ac2227ff963d952597b054fe88c9c19e43a
SHA256990df38f64ecd090380ebf103eae0881fec91f833a9f9a15d3f5e1406a8395e4
SHA512c801b0bd7f181561b33b278b3e7d91d837f980d4bbfacd3e08ccf74ec7a5c7225335a6587e4abf6c280bb2ed68dc9950d230520af091994bd9e5af99bf5eb69e
-
Filesize
15KB
MD5033b26ab51ab8f6ea1c577493fd1d901
SHA114f5fcc45499817b7ab3676a96cefc66d9168a0b
SHA25694d128c5f330e7dbe6c571191814d7c5870f214c61d086210538863b8123f82e
SHA512176a9eda18d047b2f3850a2869402557de6b4bcf73055825c3657e3d05d28c73a57fe78fb2296ba95c83ff101380d348bd5e48e3d6f868076670868ff0834514
-
Filesize
266B
MD5fea7b03a91a920bfad508b7f0ed2c5ac
SHA1fc741f7a20322ebe371ed5b22c3f9e1e0ccffc7c
SHA256b9f319c2b90ceee615b3d60f47040721b69a0895c7aab0beedc5d5b674765b72
SHA5128d12c1df35a49ac31a5dfe6e14fde31768fb321d131bd4035284d7af781957ab6de28cee117416cab907d9dc37f23dba9d6a9807b51e289b7c2235d91bbba038
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d