Analysis

  • max time kernel
    142s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:12

General

  • Target

    6f6b7ee9a4b8c657931ecaacd04849db.exe

  • Size

    78KB

  • MD5

    6f6b7ee9a4b8c657931ecaacd04849db

  • SHA1

    aadc1272891324493ad099c65e72a7bff8b2fd0b

  • SHA256

    11fb7846090fb2e23cba8a66b1e5e605072aab6580cb9103f9d3e89205826a1a

  • SHA512

    3c64218ed10eec552f198b17289aced5feaefec0c6ca8b1f25ed7f7e2cc1cab3fa98202f8bf0590810131c0cf12c38e5e9cd772170b5eb73873af7d8b12e7074

  • SSDEEP

    1536:NPWtHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/q1zv:NPWtHFo53Ln7N041QqhgD9/o

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe
    "C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bllaubtd.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECDE.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESECDF.tmp

    Filesize

    1KB

    MD5

    fc01fe7a0a0753c0604c89cf4b2b7455

    SHA1

    9d2e402bd6f2f994a262f9ccf783c326aa40a7bc

    SHA256

    2223fe8c36d828e63f232713d9ab31e94f9dc7b1fbcc7a91a5b7bcfbf3f25084

    SHA512

    55a9f2d4204302a13ad2b0cae55322dce8f6cb1da6f94bdca571d51501ce6b61e5c6bde7847857aae23095283b4a749a3827939784c1a01759e50f192bc172f4

  • C:\Users\Admin\AppData\Local\Temp\bllaubtd.0.vb

    Filesize

    15KB

    MD5

    7e094819f5eee24cf1b3864d9d3a9ab5

    SHA1

    43b612055ce9450446bcf41a882614667f1ce799

    SHA256

    9c37c519f38ef66713837be6e8ac169fedd07f77745447df4a9243a2972ee86e

    SHA512

    3f945879cab316ed5c7e121fc41f4d96d7ab0eafa2c0f948335534054a6fa3114289c65232002e54459c5f8d1353c5908fccf1dd6964ca058df64c9a82136ad6

  • C:\Users\Admin\AppData\Local\Temp\bllaubtd.cmdline

    Filesize

    266B

    MD5

    447dd73d2c71d124302accf59625dd2c

    SHA1

    2fc59a8ab1be04f0f671cdc908d33f0db4517f58

    SHA256

    d815cb7751755355153ee9f5737c0ef5b9f8cb4379aa747029f580868d216a79

    SHA512

    2154b579f141ac207b634a6af25e07b0c649a73a10048965720cb5ac8b965a6050708bf41c4d6aa181bc57c90a7f59587215e1f932b1d332e9bf79c7986dc6c0

  • C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.exe

    Filesize

    78KB

    MD5

    38cc025cf90bc8d97b1fb89553f2c8af

    SHA1

    84a377f24c68174bbe7fa28b0a73b59743122f1b

    SHA256

    d360c3fddcb5cd4190f1cfad4530a69afde2d8a24b0dcd8eb6412db57a1fc371

    SHA512

    e82bf05836c5d5ea59c652ea12fb1eeac9157c998ff531d5be8037d672f299e020c253c627a2ff23fcf83614a8f82f86184ee0fef146524c9f15b7e2231779fd

  • C:\Users\Admin\AppData\Local\Temp\vbcECDE.tmp

    Filesize

    660B

    MD5

    7a2f5768bbc515c287385dded1e62ae9

    SHA1

    3fbc8683f5d394600245688397877146e93f03a4

    SHA256

    dc3abb4f834543ff78371c0756796edcd69936bfb2cff7869655a9f7052333b2

    SHA512

    a6147fba56ac3a317ae6e21b0c19bbcabf946769d78af560bf5464d4daf1e380c9e461f7522a96d661109bac58f07dba13e4ff5f1fe76e4b5d1ce35fec4af81b

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/1600-10-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB

  • memory/1600-20-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB

  • memory/2080-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

    Filesize

    4KB

  • memory/2080-9-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB

  • memory/2080-3-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB

  • memory/2080-2-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB

  • memory/2080-1-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB

  • memory/2080-26-0x0000000074C60000-0x000000007520B000-memory.dmp

    Filesize

    5.7MB