Overview
overview
10Static
static
1037b5b3a304...08.exe
windows7-x64
1037b5b3a304...08.exe
windows10-2004-x64
1037d3fcd505...96.exe
windows7-x64
137d3fcd505...96.exe
windows10-2004-x64
137e1fc1ec8...90.exe
windows7-x64
1037e1fc1ec8...90.exe
windows10-2004-x64
103806b87b25...f8.exe
windows7-x64
83806b87b25...f8.exe
windows10-2004-x64
83834ae494a...cf.exe
windows7-x64
103834ae494a...cf.exe
windows10-2004-x64
10385f35ff50...3c.exe
windows7-x64
7385f35ff50...3c.exe
windows10-2004-x64
738e8b4b129...cf.exe
windows7-x64
1038e8b4b129...cf.exe
windows10-2004-x64
738f5cbcb2f...a0.exe
windows7-x64
1038f5cbcb2f...a0.exe
windows10-2004-x64
1038fa74b5c6...d1.exe
windows7-x64
1038fa74b5c6...d1.exe
windows10-2004-x64
103925d50ec0...52.exe
windows7-x64
103925d50ec0...52.exe
windows10-2004-x64
103941105d7c...e6.exe
windows7-x64
103941105d7c...e6.exe
windows10-2004-x64
7394f64ff5b...3e.exe
windows7-x64
10394f64ff5b...3e.exe
windows10-2004-x64
1039813551d3...ec.exe
windows7-x64
1039813551d3...ec.exe
windows10-2004-x64
10398d0de7a9...9d.exe
windows7-x64
1398d0de7a9...9d.exe
windows10-2004-x64
139a387cb5e...2f.exe
windows7-x64
839a387cb5e...2f.exe
windows10-2004-x64
839a7f02d9e...aa.exe
windows7-x64
839a7f02d9e...aa.exe
windows10-2004-x64
8Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:09
Behavioral task
behavioral1
Sample
37b5b3a3044b6d582546b772fa8cee08.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
37b5b3a3044b6d582546b772fa8cee08.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
37d3fcd5058c45d2c2bba065a5c22296.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
37d3fcd5058c45d2c2bba065a5c22296.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
37e1fc1ec800f44c686bd7c2ea3c8890.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
37e1fc1ec800f44c686bd7c2ea3c8890.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
3806b87b2562c44df09560409b8759bae8ba6dbe918fe9020f61088360cb99f8.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
3806b87b2562c44df09560409b8759bae8ba6dbe918fe9020f61088360cb99f8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
3834ae494af0fd48ecc667bea1ef47cf.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
3834ae494af0fd48ecc667bea1ef47cf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
385f35ff50b3c39fd02425bb9baf09a100e555087c6dedafddcc98052d8f703c.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
385f35ff50b3c39fd02425bb9baf09a100e555087c6dedafddcc98052d8f703c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
38e8b4b1294e5d3ddacd9be4727487cf.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
38e8b4b1294e5d3ddacd9be4727487cf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
38fa74b5c6f3bc1f8061998ae2d881d1.exe
Resource
win7-20250207-en
Behavioral task
behavioral18
Sample
38fa74b5c6f3bc1f8061998ae2d881d1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
3925d50ec09cade5278e78250a503852.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
3925d50ec09cade5278e78250a503852.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
3941105d7c81e962f92d2023da9ec9e6.exe
Resource
win7-20250207-en
Behavioral task
behavioral22
Sample
3941105d7c81e962f92d2023da9ec9e6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
394f64ff5b12eab1067babefe641f23e.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
394f64ff5b12eab1067babefe641f23e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
39813551d3b3ee13a718ee63b2d63dec.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
39813551d3b3ee13a718ee63b2d63dec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
398d0de7a9676d640f72d3e865a704c9577be0e57cde62434a628ed88dccf79d.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
398d0de7a9676d640f72d3e865a704c9577be0e57cde62434a628ed88dccf79d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
39a387cb5e2530237c32fac8504faed4b43ca4929459af88a9362697f2f9172f.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
39a387cb5e2530237c32fac8504faed4b43ca4929459af88a9362697f2f9172f.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral31
Sample
39a7f02d9e76b2b1d996ec00e73d9e5ad7a78380e50bf46ee013df73a37a10aa.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
39a7f02d9e76b2b1d996ec00e73d9e5ad7a78380e50bf46ee013df73a37a10aa.exe
Resource
win10v2004-20250314-en
General
-
Target
38e8b4b1294e5d3ddacd9be4727487cf.exe
-
Size
78KB
-
MD5
38e8b4b1294e5d3ddacd9be4727487cf
-
SHA1
40c172c9c1986d88f4d06c9a2442b395b4d20272
-
SHA256
2507c5df7551477aaab6eaf7c07ea04f3989dd052986bd4a4b17f9e947f524b3
-
SHA512
b6da35f3673f9070d2a909a955817927bf4394d00016f2a09e023e9363a289099813bc0f905836ecfe89797fc6b2708707b2c81761fc87d79ea162ce03cbfd34
-
SSDEEP
1536:3WV5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt9629/e1y3:3WV5jSen7N041QqhgN9/7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2468 tmpB24F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpB24F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38e8b4b1294e5d3ddacd9be4727487cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB24F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe Token: SeDebugPrivilege 2468 tmpB24F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1560 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 30 PID 1672 wrote to memory of 1560 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 30 PID 1672 wrote to memory of 1560 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 30 PID 1672 wrote to memory of 1560 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 30 PID 1560 wrote to memory of 2476 1560 vbc.exe 32 PID 1560 wrote to memory of 2476 1560 vbc.exe 32 PID 1560 wrote to memory of 2476 1560 vbc.exe 32 PID 1560 wrote to memory of 2476 1560 vbc.exe 32 PID 1672 wrote to memory of 2468 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 33 PID 1672 wrote to memory of 2468 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 33 PID 1672 wrote to memory of 2468 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 33 PID 1672 wrote to memory of 2468 1672 38e8b4b1294e5d3ddacd9be4727487cf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe"C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gv6didjf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2FA.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB24F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e4cefcbc95ca8680ec27e5b9f7db8410
SHA19becabaf3cef23cf454e7d0b5c1bd3da1f0b1c76
SHA256dc4a0ec8e273f5a16da86cddbde327efd868db26cfa72da0f213ced106f08b33
SHA512d541808429061f340e74e939885f03dc348e9d366442f9b8c9ba7bdc96f335575b31eb1db963bed5aa83c1493cf214bc706c82e11562a9854fd1d259b8f80635
-
Filesize
14KB
MD55820b6edc3a27be93d811f22b107cecc
SHA12d239e592426454558f66608a64d81777864409f
SHA2564cc3871d7a4616b7ed79087c7b8f9dd962357b4bf237f0cc4d960e08e56c3c56
SHA512c996a1832cbf362b1eeaf91a8e28d66b74019b096af20dd635eda38e7d1ec5cb2342334a58425fc28a829f83fca96c41ca0d70a7cee89dd13749f620771e64ff
-
Filesize
266B
MD55db8dc73999545573ea39e47070ba4c3
SHA1e2a33e36984313a0e1c3668af3834f18d1b53206
SHA2566fd449562367fc43a8ae1175ade2e93b3db9c70c4a2eee57453e78bf6208ab1b
SHA5127a3f270e26160afcce32dadbcd3f863e0bd0c502fe88f2a54a76fe550cef9ba0b4e8a9b5aff15ca319d83cd0aacc37dc1d8793abb10e3102307382291bb79f64
-
Filesize
78KB
MD5312caba3ff033fcb34756cdf42856ed7
SHA15550fdae395899e34e2509631b9d7cde5e7404f1
SHA25612df84dbfea51cd595d55ae9e6c37db4ad3b8830eae8e409af5f1fc18da65d68
SHA5120c6f89649c9ada02ce45f39398100c94998c68be917d0473afbd7c316de50a6ed3aed8390dadc30dc92424f6bfdd816088742b2c5331ce8c5d9228945108b0bd
-
Filesize
660B
MD5d335ac1d1bc4fb5f21e2033a5b6aefec
SHA136ef3f942902d4b3c26d525dc6417e4ad4908ad4
SHA2568a1e46a133d6b8ddab86d67f88f0f55233463f2cbd1972a602928628dd506cb8
SHA5129fdbbbcbbdebb4f5b10a6b4113b2e97e9fb3ceae2a99a20dc1b9886bbefa00990da556fa3219e0aba17e44affc821a76b3603545af32b794bc12528f0dd4a10d
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65