Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:09

General

  • Target

    3834ae494af0fd48ecc667bea1ef47cf.exe

  • Size

    78KB

  • MD5

    3834ae494af0fd48ecc667bea1ef47cf

  • SHA1

    f9eaf46f7a2984ea27b86cfe0a8a22f5cf8f84ad

  • SHA256

    c791781a31dc589e586824324fd17b81091656130f2efceca554adddc668f8e0

  • SHA512

    eaec00e79da4238f13ba254fdd9dc1b19f660a0d09401c1deaa9fc17ac3bff4b2d0b711a54c6cdb460aa57141f32994072695e210cc57efa2b7a1bfe4da0a75c

  • SSDEEP

    1536:q5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6/9/S1R2:q5jSrn7N041Qqhg09/T

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3834ae494af0fd48ecc667bea1ef47cf.exe
    "C:\Users\Admin\AppData\Local\Temp\3834ae494af0fd48ecc667bea1ef47cf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iyird5ew.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FD6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FD5.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2616
    • C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3834ae494af0fd48ecc667bea1ef47cf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES4FD6.tmp

    Filesize

    1KB

    MD5

    ccfeb11a88d4a93a37853e23b658578b

    SHA1

    0eecb3ff031074d943f33d83620971f8e9bfc411

    SHA256

    5d2de1b81817abb7640f5765bf80ba37ff5f1fd2633c831e014967879caec101

    SHA512

    3be031f466677db8357d44ca7429fec02f3b2d84370fd9f9d2b3a089eebb5287cf1fad65b63dbb01a977789c747fe5553c03aa2fd8b76bbdd2691577b3604512

  • C:\Users\Admin\AppData\Local\Temp\iyird5ew.0.vb

    Filesize

    14KB

    MD5

    617fc62589f4ba20f2c90783cd860481

    SHA1

    42b6ab7907e367b269a67b28e53e40041bf3d476

    SHA256

    78ae3643e36e4d99f801cad0f2ee35487223306628867710cd2da46250818180

    SHA512

    1d9fe3ea316f6851d9159f8eadf35cae741beebf9dc512bae886e098148c4d3fa5e39a69005abcbbc9740cf956c7f213b14da056e7659682a64a1bf72abde562

  • C:\Users\Admin\AppData\Local\Temp\iyird5ew.cmdline

    Filesize

    266B

    MD5

    772e6342cf835291bb55ae749fdc6ebd

    SHA1

    34263e93b4a5d662bfcae828216b5190b01c5d89

    SHA256

    f99f976dc436aadf319a5671f3039b77234d1af341ba219aefa8187a20c528c9

    SHA512

    6e0c45face8b62cba7dac07e39d8a78fb0622c7343e39eb26cd133de141debf49de36457849ccfdfaf5a275dc5bc7d6dc2f12723143698ebeed8f765beabb754

  • C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp.exe

    Filesize

    78KB

    MD5

    c27ef5339b5229d1155e4b8ed8291de8

    SHA1

    51a3940d2c1eb695e10d84f655c808efce2143d9

    SHA256

    0e9ebe0c74471fadd33c0771ce799c81416e32d30c2eeef46254ebd831b54b13

    SHA512

    ad6380fd97ff3e1ec1f176e50a15109c8e8642acb1443b881709ce587dc074e84214d5c0aafabafbd47a244b7347a818e3ba9475f03bf669af7220bc04ef71ec

  • C:\Users\Admin\AppData\Local\Temp\vbc4FD5.tmp

    Filesize

    660B

    MD5

    542b73ae50748d707ad624941f776275

    SHA1

    acb03904ede58d80fb8f5cefdfa681f54e0b6da9

    SHA256

    75940bdca8290bac445173f30839d81b5ca7db6c59af3ab6bb5656898be4848f

    SHA512

    d884e4422e7465ac54b5add59ca97985f32e8849ad6d5b42247ced1af4cb7ec88a91926914cb8ef98011f3ad54c9bce59e86a0edf31372034f654ea12cbdc66d

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/2604-8-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2604-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

    Filesize

    4KB

  • memory/2640-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-24-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB