Overview

overview

10

Static

static

10

cd94462486...32.exe

windows7-x64

10

cd94462486...32.exe

windows10-2004-x64

10

cdb97c07f0...ca.exe

windows7-x64

1

cdb97c07f0...ca.exe

windows10-2004-x64

1

cdfbee96df...25.exe

windows7-x64

10

cdfbee96df...25.exe

windows10-2004-x64

10

ce01fc8942...b5.exe

windows7-x64

10

ce01fc8942...b5.exe

windows10-2004-x64

10

ce5340f773...6e.exe

windows7-x64

10

ce5340f773...6e.exe

windows10-2004-x64

10

ce6d4255fc...f1.exe

windows7-x64

10

ce6d4255fc...f1.exe

windows10-2004-x64

10

ce8f0a3c5b...fc.exe

windows7-x64

8

ce8f0a3c5b...fc.exe

windows10-2004-x64

8

cef4f0409d...db.exe

windows7-x64

10

cef4f0409d...db.exe

windows10-2004-x64

10

cf15609eab...81.exe

windows7-x64

9

cf15609eab...81.exe

windows10-2004-x64

9

cf3f6f6285...6e.exe

windows7-x64

10

cf3f6f6285...6e.exe

windows10-2004-x64

10

cf450b1869...e9.exe

windows7-x64

10

cf450b1869...e9.exe

windows10-2004-x64

10

cf56059ae5...a1.exe

windows7-x64

10

cf56059ae5...a1.exe

windows10-2004-x64

10

cf79ab31cc...04.exe

windows7-x64

10

cf79ab31cc...04.exe

windows10-2004-x64

10

cf8d6b1a05...68.exe

windows7-x64

10

cf8d6b1a05...68.exe

windows10-2004-x64

10

cf96c893c9...10.exe

windows7-x64

1

cf96c893c9...10.exe

windows10-2004-x64

1

cfd31bf82d...9b.exe

windows7-x64

7

cfd31bf82d...9b.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    140s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd94462486ad6fad4ab587ad00762632.exe

  • Size

    78KB

  • MD5

    cd94462486ad6fad4ab587ad00762632

  • SHA1

    600e27f9eaa5040e50513248a440af60040ac9db

  • SHA256

    9868136efa35854a43f56eec9de8c32dff7745db42922395b828f592d56cea04

  • SHA512

    5e1090a78794afcc56304197bec0e90069d02e57808e2f9ac26b0e4dec76b8b148e006ecd8374a0c91648b61a6cf3663b95cc3bc5a601c59ef48b0561487ffb6

  • SSDEEP

    1536:Ay58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6h9/2iL1k6:Ay58An7N041Qqhgp9/2id

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd94462486ad6fad4ab587ad00762632.exe
    "C:\Users\Admin\AppData\Local\Temp\cd94462486ad6fad4ab587ad00762632.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_nvfbsek.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F713D7681E8482FA7EE1A884C481125.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2828
    • C:\Users\Admin\AppData\Local\Temp\tmp5813.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp5813.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cd94462486ad6fad4ab587ad00762632.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES5A07.tmp
    Filesize

    1KB

    MD5

    c6a01d6c378fdefcbfe8285a4ad76208

    SHA1

    0a7b1e3fe8d595af45d671f2a6ee44f31ca5f25e

    SHA256

    7ca45ac7180fa42d276d7a96d97e25866042a53523d9cda0844a1deff4b9886c

    SHA512

    fc4e8dd281b34f5f93393a8afb5e52d8c9d38a7c21d478b3df76ae07367a109aacd35ffcb61d546d2fc92cc470aff9c5bd023a4b80523feadf61b2093ebde431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_nvfbsek.0.vb
    Filesize

    14KB

    MD5

    cc1e5e4147d0e92968b03c1a5dd0bcb8

    SHA1

    35b38541c1df972cf65e56e6186c1d2470c2c10d

    SHA256

    f17a0f13dd0480abf65bb2663eff4e57e992a2e6dec3c18eae75833d1e44fff8

    SHA512

    7a443f19aa0b705ea30a392c8b2787bbf316f6fb94bb488ec5bcc61399d2c1d9642640a7470ee4480a3ae7aa6fb7c807c2879536522d7a2455db73ea3bf06943

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_nvfbsek.cmdline
    Filesize

    266B

    MD5

    9970d8dc55a3f3390d6f87dbbac9f221

    SHA1

    d724d23468e76e70a863cdf7b589a5b8e44e6b31

    SHA256

    f6daa8f6e65330a730283ad1e0f272cc386a4ede8be08fabed31c5034b5cd72e

    SHA512

    875773b3cc5e309be8a50d53c03e81946e5d8c94c0d473eb7e1347d0f7a23e3b278cc51750f0eb86e7f48b14fc9507e77f859298947620ec732546352a2b71eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5813.tmp.exe
    Filesize

    78KB

    MD5

    10c82bb11aa939093330d7e678cf241b

    SHA1

    5b4997e0dd251bb47fd92f190ad118a5d403b48a

    SHA256

    eea55f34f5593891bf9caff83d3415282f9e88d1ef50adff2a21b67b103da2e0

    SHA512

    cd444948e4ca66f4fc0662453d3d38f8fb1dc82e1907d412b53f2a4ae4820b8a9f7e3c6c9d20de7d95f3ce472570132fa41e3b88820128edc8744f0edb02d368

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc4F713D7681E8482FA7EE1A884C481125.TMP
    Filesize

    660B

    MD5

    67eeddd1a3b890b0ce76413898369634

    SHA1

    20b9b8ad0fec084bdfa09febff3655b57a350ad0

    SHA256

    afb8866fff934fbe44d705fdf7529d7199218d14c86ebf560ff454e265199363

    SHA512

    b8d73e68f1e0946df140620039c690425f8d1050a93a55f0bb259692d4656c70c5c7fbe10af93ec11be6494f57354463e88ac3adb27f0965977be9e87e722891

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/2240-1-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2240-2-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2240-0-0x0000000074D52000-0x0000000074D53000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-22-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4796-8-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4796-18-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5256-23-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5256-25-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5256-24-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5256-27-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5256-28-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5256-29-0x0000000074D50000-0x0000000075301000-memory.dmp

    Filesize

    5.7MB

    Download