Overview

overview

10

Static

static

10

63bc6776b7...3b.exe

windows7-x64

10

63bc6776b7...3b.exe

windows10-2004-x64

10

641434cfae...75.exe

windows7-x64

10

641434cfae...75.exe

windows10-2004-x64

10

642fefb64c...0c.exe

windows7-x64

10

642fefb64c...0c.exe

windows10-2004-x64

10

6433ad2b9d...59.exe

windows7-x64

10

6433ad2b9d...59.exe

windows10-2004-x64

10

64402f0d8e...c0.exe

windows7-x64

10

64402f0d8e...c0.exe

windows10-2004-x64

10

6443d92f8c...ff.exe

windows7-x64

10

6443d92f8c...ff.exe

windows10-2004-x64

10

647ab91c93...52.exe

windows7-x64

1

647ab91c93...52.exe

windows10-2004-x64

10

64a6177287...fd.exe

windows7-x64

1

64a6177287...fd.exe

windows10-2004-x64

1

64cb9bc958...bf.exe

windows7-x64

3

64cb9bc958...bf.exe

windows10-2004-x64

3

64d77182d5...9a.exe

windows7-x64

10

64d77182d5...9a.exe

windows10-2004-x64

10

64f4533af0...b2.exe

windows7-x64

10

64f4533af0...b2.exe

windows10-2004-x64

10

650411faaa...82.exe

windows7-x64

10

650411faaa...82.exe

windows10-2004-x64

10

65099e4d1a...a3.exe

windows7-x64

7

65099e4d1a...a3.exe

windows10-2004-x64

7

6568e08910...e3.exe

windows7-x64

10

6568e08910...e3.exe

windows10-2004-x64

10

656d929530...ab.exe

windows7-x64

10

656d929530...ab.exe

windows10-2004-x64

10

65720da539...b1.exe

windows7-x64

10

65720da539...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64d77182d5d559f24eac8d7dc728bb9a.exe

  • Size

    78KB

  • MD5

    64d77182d5d559f24eac8d7dc728bb9a

  • SHA1

    80d3c4c71adfb2a675b2322d4fad6122c4c0ff11

  • SHA256

    93cddead5db08cea0170a9ab0cab8cab6dadce110c8e0b2a013c050a0b4a818b

  • SHA512

    24e3982c0b1928c2641d92fe22cbe4ead35aff1e547b949901cceb45e48f12e29fb8903cb20e3077fbcf87f4e322456a651b3e5a3a204e0cdf8ca66417cb11ac

  • SSDEEP

    1536:esHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtx9/61Jj:esHY53Ln7N041Qqhgx9/q

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64d77182d5d559f24eac8d7dc728bb9a.exe
    "C:\Users\Admin\AppData\Local\Temp\64d77182d5d559f24eac8d7dc728bb9a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tkarprtm.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8201.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE853670DBCF7449685373E8CF7E644B8.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1520
    • C:\Users\Admin\AppData\Local\Temp\tmp80E8.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp80E8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\64d77182d5d559f24eac8d7dc728bb9a.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES8201.tmp
    Filesize

    1KB

    MD5

    37b45e0e4bed392f8726920dc7969e87

    SHA1

    972e44ce638f9565e73e4ea8f84e275a3265ad7e

    SHA256

    616b2bb5dbf555939df761ac1be6cc49fd7af22549cb87c81ea8a4b2cd1d6207

    SHA512

    c0086ce4dff748ab5ad7122be89c3701af063202f860e1166b8905a126266f04603d2ba59709008a537079166a2770d78318adcd5a9695cd491f81fece31d515

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tkarprtm.0.vb
    Filesize

    15KB

    MD5

    bdd2626f8939f7d636d98c868534b160

    SHA1

    ad19a0e060a043e13334c9ef123ff97697b591da

    SHA256

    51a6025985cad9cc5243a04abb0f3dda422908e11fa53d2d05854fdc600aceeb

    SHA512

    f97b46433f3d190c9c5fd4209ad3277c922dce1d9fb6b8bd226aa0ec324f7cb485490ee0852d3b5dcf8520033bfc26b146615f130371b73aaf07b10d463453c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tkarprtm.cmdline
    Filesize

    266B

    MD5

    085e8f53bfc249ae1312c536b5bf6df4

    SHA1

    81b9b175cf124c52678163a12c5c9fe3c3a2a3b2

    SHA256

    77c08053ec90bd8386493997449d3e20e0edfa3a76c94a92dc64f60c1cbc3f0d

    SHA512

    932aaf5c98fac4270203891d5adbc4f1b48d4b558d4bcad6437a0cd6d5cc3c6b3176e35c88de86634dadfbed20864be6efe356304f36c9a9f10195b97818f3b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp80E8.tmp.exe
    Filesize

    78KB

    MD5

    25ed5a93062498fdf9758f28dbc3aaa0

    SHA1

    0470c9bee95bca15905dd5df238e8299220d9ee3

    SHA256

    1ea361f87a144b36eac3465056e1ce250ffd86c21cfc770c87d568684e760442

    SHA512

    b681376d3ab54ea8be4c9ecace63da20def14f3fe6f034fd233e92a18b99c680bfd32ed39a3e6659b3e15de3658d247f85b10aa421ea70c628b831da32c84ebe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcE853670DBCF7449685373E8CF7E644B8.TMP
    Filesize

    660B

    MD5

    93767f780a458d3b569e0233009ea1e0

    SHA1

    0a9e6bde1526bdd2a31dfafc87329154d05d8a7f

    SHA256

    cf5f4cee49076b5c65aba80c4e9b51e969f0a0d3628b30fe5aa3f6f6bd3578be

    SHA512

    977c96b6f2f1916a661ffe2e58d0c16502361c9f6b4cbdc66ca317dc6240d438ec211177198b39d8f37e72060f2e12fafb053040bc4a4483e0e4b0b128589e25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/396-22-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/396-2-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/396-1-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/396-0-0x00000000752D2000-0x00000000752D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-9-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4676-18-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5072-23-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5072-24-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5072-26-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5072-27-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5072-28-0x00000000752D0000-0x0000000075881000-memory.dmp

    Filesize

    5.7MB

    Download