Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:09

General

  • Target

    38e8b4b1294e5d3ddacd9be4727487cf.exe

  • Size

    78KB

  • MD5

    38e8b4b1294e5d3ddacd9be4727487cf

  • SHA1

    40c172c9c1986d88f4d06c9a2442b395b4d20272

  • SHA256

    2507c5df7551477aaab6eaf7c07ea04f3989dd052986bd4a4b17f9e947f524b3

  • SHA512

    b6da35f3673f9070d2a909a955817927bf4394d00016f2a09e023e9363a289099813bc0f905836ecfe89797fc6b2708707b2c81761fc87d79ea162ce03cbfd34

  • SSDEEP

    1536:3WV5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt9629/e1y3:3WV5jSen7N041QqhgN9/7

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe
    "C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gv6didjf.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2FA.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2476
    • C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB2FB.tmp

    Filesize

    1KB

    MD5

    e4cefcbc95ca8680ec27e5b9f7db8410

    SHA1

    9becabaf3cef23cf454e7d0b5c1bd3da1f0b1c76

    SHA256

    dc4a0ec8e273f5a16da86cddbde327efd868db26cfa72da0f213ced106f08b33

    SHA512

    d541808429061f340e74e939885f03dc348e9d366442f9b8c9ba7bdc96f335575b31eb1db963bed5aa83c1493cf214bc706c82e11562a9854fd1d259b8f80635

  • C:\Users\Admin\AppData\Local\Temp\gv6didjf.0.vb

    Filesize

    14KB

    MD5

    5820b6edc3a27be93d811f22b107cecc

    SHA1

    2d239e592426454558f66608a64d81777864409f

    SHA256

    4cc3871d7a4616b7ed79087c7b8f9dd962357b4bf237f0cc4d960e08e56c3c56

    SHA512

    c996a1832cbf362b1eeaf91a8e28d66b74019b096af20dd635eda38e7d1ec5cb2342334a58425fc28a829f83fca96c41ca0d70a7cee89dd13749f620771e64ff

  • C:\Users\Admin\AppData\Local\Temp\gv6didjf.cmdline

    Filesize

    266B

    MD5

    5db8dc73999545573ea39e47070ba4c3

    SHA1

    e2a33e36984313a0e1c3668af3834f18d1b53206

    SHA256

    6fd449562367fc43a8ae1175ade2e93b3db9c70c4a2eee57453e78bf6208ab1b

    SHA512

    7a3f270e26160afcce32dadbcd3f863e0bd0c502fe88f2a54a76fe550cef9ba0b4e8a9b5aff15ca319d83cd0aacc37dc1d8793abb10e3102307382291bb79f64

  • C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe

    Filesize

    78KB

    MD5

    312caba3ff033fcb34756cdf42856ed7

    SHA1

    5550fdae395899e34e2509631b9d7cde5e7404f1

    SHA256

    12df84dbfea51cd595d55ae9e6c37db4ad3b8830eae8e409af5f1fc18da65d68

    SHA512

    0c6f89649c9ada02ce45f39398100c94998c68be917d0473afbd7c316de50a6ed3aed8390dadc30dc92424f6bfdd816088742b2c5331ce8c5d9228945108b0bd

  • C:\Users\Admin\AppData\Local\Temp\vbcB2FA.tmp

    Filesize

    660B

    MD5

    d335ac1d1bc4fb5f21e2033a5b6aefec

    SHA1

    36ef3f942902d4b3c26d525dc6417e4ad4908ad4

    SHA256

    8a1e46a133d6b8ddab86d67f88f0f55233463f2cbd1972a602928628dd506cb8

    SHA512

    9fdbbbcbbdebb4f5b10a6b4113b2e97e9fb3ceae2a99a20dc1b9886bbefa00990da556fa3219e0aba17e44affc821a76b3603545af32b794bc12528f0dd4a10d

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/1560-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1560-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1672-0-0x00000000747E1000-0x00000000747E2000-memory.dmp

    Filesize

    4KB

  • memory/1672-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1672-2-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1672-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp

    Filesize

    5.7MB