Overview
overview
10Static
static
1037b5b3a304...08.exe
windows7-x64
1037b5b3a304...08.exe
windows10-2004-x64
1037d3fcd505...96.exe
windows7-x64
137d3fcd505...96.exe
windows10-2004-x64
137e1fc1ec8...90.exe
windows7-x64
1037e1fc1ec8...90.exe
windows10-2004-x64
103806b87b25...f8.exe
windows7-x64
83806b87b25...f8.exe
windows10-2004-x64
83834ae494a...cf.exe
windows7-x64
103834ae494a...cf.exe
windows10-2004-x64
10385f35ff50...3c.exe
windows7-x64
7385f35ff50...3c.exe
windows10-2004-x64
738e8b4b129...cf.exe
windows7-x64
1038e8b4b129...cf.exe
windows10-2004-x64
738f5cbcb2f...a0.exe
windows7-x64
1038f5cbcb2f...a0.exe
windows10-2004-x64
1038fa74b5c6...d1.exe
windows7-x64
1038fa74b5c6...d1.exe
windows10-2004-x64
103925d50ec0...52.exe
windows7-x64
103925d50ec0...52.exe
windows10-2004-x64
103941105d7c...e6.exe
windows7-x64
103941105d7c...e6.exe
windows10-2004-x64
7394f64ff5b...3e.exe
windows7-x64
10394f64ff5b...3e.exe
windows10-2004-x64
1039813551d3...ec.exe
windows7-x64
1039813551d3...ec.exe
windows10-2004-x64
10398d0de7a9...9d.exe
windows7-x64
1398d0de7a9...9d.exe
windows10-2004-x64
139a387cb5e...2f.exe
windows7-x64
839a387cb5e...2f.exe
windows10-2004-x64
839a7f02d9e...aa.exe
windows7-x64
839a7f02d9e...aa.exe
windows10-2004-x64
8Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:09
Behavioral task
behavioral1
Sample
37b5b3a3044b6d582546b772fa8cee08.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
37b5b3a3044b6d582546b772fa8cee08.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
37d3fcd5058c45d2c2bba065a5c22296.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
37d3fcd5058c45d2c2bba065a5c22296.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
37e1fc1ec800f44c686bd7c2ea3c8890.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
37e1fc1ec800f44c686bd7c2ea3c8890.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
3806b87b2562c44df09560409b8759bae8ba6dbe918fe9020f61088360cb99f8.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
3806b87b2562c44df09560409b8759bae8ba6dbe918fe9020f61088360cb99f8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
3834ae494af0fd48ecc667bea1ef47cf.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
3834ae494af0fd48ecc667bea1ef47cf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
385f35ff50b3c39fd02425bb9baf09a100e555087c6dedafddcc98052d8f703c.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
385f35ff50b3c39fd02425bb9baf09a100e555087c6dedafddcc98052d8f703c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
38e8b4b1294e5d3ddacd9be4727487cf.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
38e8b4b1294e5d3ddacd9be4727487cf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
38fa74b5c6f3bc1f8061998ae2d881d1.exe
Resource
win7-20250207-en
Behavioral task
behavioral18
Sample
38fa74b5c6f3bc1f8061998ae2d881d1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
3925d50ec09cade5278e78250a503852.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
3925d50ec09cade5278e78250a503852.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
3941105d7c81e962f92d2023da9ec9e6.exe
Resource
win7-20250207-en
Behavioral task
behavioral22
Sample
3941105d7c81e962f92d2023da9ec9e6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
394f64ff5b12eab1067babefe641f23e.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
394f64ff5b12eab1067babefe641f23e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
39813551d3b3ee13a718ee63b2d63dec.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
39813551d3b3ee13a718ee63b2d63dec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
398d0de7a9676d640f72d3e865a704c9577be0e57cde62434a628ed88dccf79d.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
398d0de7a9676d640f72d3e865a704c9577be0e57cde62434a628ed88dccf79d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
39a387cb5e2530237c32fac8504faed4b43ca4929459af88a9362697f2f9172f.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
39a387cb5e2530237c32fac8504faed4b43ca4929459af88a9362697f2f9172f.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral31
Sample
39a7f02d9e76b2b1d996ec00e73d9e5ad7a78380e50bf46ee013df73a37a10aa.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
39a7f02d9e76b2b1d996ec00e73d9e5ad7a78380e50bf46ee013df73a37a10aa.exe
Resource
win10v2004-20250314-en
General
-
Target
3834ae494af0fd48ecc667bea1ef47cf.exe
-
Size
78KB
-
MD5
3834ae494af0fd48ecc667bea1ef47cf
-
SHA1
f9eaf46f7a2984ea27b86cfe0a8a22f5cf8f84ad
-
SHA256
c791781a31dc589e586824324fd17b81091656130f2efceca554adddc668f8e0
-
SHA512
eaec00e79da4238f13ba254fdd9dc1b19f660a0d09401c1deaa9fc17ac3bff4b2d0b711a54c6cdb460aa57141f32994072695e210cc57efa2b7a1bfe4da0a75c
-
SSDEEP
1536:q5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6/9/S1R2:q5jSrn7N041Qqhg09/T
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2576 tmp4F48.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 2640 3834ae494af0fd48ecc667bea1ef47cf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4F48.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3834ae494af0fd48ecc667bea1ef47cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4F48.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2640 3834ae494af0fd48ecc667bea1ef47cf.exe Token: SeDebugPrivilege 2576 tmp4F48.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2604 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 28 PID 2640 wrote to memory of 2604 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 28 PID 2640 wrote to memory of 2604 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 28 PID 2640 wrote to memory of 2604 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 28 PID 2604 wrote to memory of 2616 2604 vbc.exe 30 PID 2604 wrote to memory of 2616 2604 vbc.exe 30 PID 2604 wrote to memory of 2616 2604 vbc.exe 30 PID 2604 wrote to memory of 2616 2604 vbc.exe 30 PID 2640 wrote to memory of 2576 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 31 PID 2640 wrote to memory of 2576 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 31 PID 2640 wrote to memory of 2576 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 31 PID 2640 wrote to memory of 2576 2640 3834ae494af0fd48ecc667bea1ef47cf.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3834ae494af0fd48ecc667bea1ef47cf.exe"C:\Users\Admin\AppData\Local\Temp\3834ae494af0fd48ecc667bea1ef47cf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iyird5ew.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FD6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FD5.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3834ae494af0fd48ecc667bea1ef47cf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ccfeb11a88d4a93a37853e23b658578b
SHA10eecb3ff031074d943f33d83620971f8e9bfc411
SHA2565d2de1b81817abb7640f5765bf80ba37ff5f1fd2633c831e014967879caec101
SHA5123be031f466677db8357d44ca7429fec02f3b2d84370fd9f9d2b3a089eebb5287cf1fad65b63dbb01a977789c747fe5553c03aa2fd8b76bbdd2691577b3604512
-
Filesize
14KB
MD5617fc62589f4ba20f2c90783cd860481
SHA142b6ab7907e367b269a67b28e53e40041bf3d476
SHA25678ae3643e36e4d99f801cad0f2ee35487223306628867710cd2da46250818180
SHA5121d9fe3ea316f6851d9159f8eadf35cae741beebf9dc512bae886e098148c4d3fa5e39a69005abcbbc9740cf956c7f213b14da056e7659682a64a1bf72abde562
-
Filesize
266B
MD5772e6342cf835291bb55ae749fdc6ebd
SHA134263e93b4a5d662bfcae828216b5190b01c5d89
SHA256f99f976dc436aadf319a5671f3039b77234d1af341ba219aefa8187a20c528c9
SHA5126e0c45face8b62cba7dac07e39d8a78fb0622c7343e39eb26cd133de141debf49de36457849ccfdfaf5a275dc5bc7d6dc2f12723143698ebeed8f765beabb754
-
Filesize
78KB
MD5c27ef5339b5229d1155e4b8ed8291de8
SHA151a3940d2c1eb695e10d84f655c808efce2143d9
SHA2560e9ebe0c74471fadd33c0771ce799c81416e32d30c2eeef46254ebd831b54b13
SHA512ad6380fd97ff3e1ec1f176e50a15109c8e8642acb1443b881709ce587dc074e84214d5c0aafabafbd47a244b7347a818e3ba9475f03bf669af7220bc04ef71ec
-
Filesize
660B
MD5542b73ae50748d707ad624941f776275
SHA1acb03904ede58d80fb8f5cefdfa681f54e0b6da9
SHA25675940bdca8290bac445173f30839d81b5ca7db6c59af3ab6bb5656898be4848f
SHA512d884e4422e7465ac54b5add59ca97985f32e8849ad6d5b42247ced1af4cb7ec88a91926914cb8ef98011f3ad54c9bce59e86a0edf31372034f654ea12cbdc66d
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65