Overview
overview
10Static
static
106ea09dc024...bf.exe
windows7-x64
16ea09dc024...bf.exe
windows10-2004-x64
16ea800eee1...83.exe
windows7-x64
36ea800eee1...83.exe
windows10-2004-x64
36ec1c209b1...da.exe
windows7-x64
106ec1c209b1...da.exe
windows10-2004-x64
106f0c3386f1...bf.exe
windows7-x64
96f0c3386f1...bf.exe
windows10-2004-x64
76f456ca531...05.exe
windows7-x64
76f456ca531...05.exe
windows10-2004-x64
86f46a58808...0c.exe
windows7-x64
106f46a58808...0c.exe
windows10-2004-x64
106f6b7ee9a4...db.exe
windows7-x64
106f6b7ee9a4...db.exe
windows10-2004-x64
106f723cd900...bc.exe
windows7-x64
106f723cd900...bc.exe
windows10-2004-x64
106f7e5a7572...05.exe
windows7-x64
106f7e5a7572...05.exe
windows10-2004-x64
106f8921f285...3e.exe
windows7-x64
106f8921f285...3e.exe
windows10-2004-x64
106f8a4cd4e0...0e.exe
windows7-x64
106f8a4cd4e0...0e.exe
windows10-2004-x64
106f9568a7c5...ba.exe
windows7-x64
106f9568a7c5...ba.exe
windows10-2004-x64
106f9d1b3820...e0.exe
windows7-x64
36f9d1b3820...e0.exe
windows10-2004-x64
36faa2d85ae...9b.exe
windows7-x64
106faa2d85ae...9b.exe
windows10-2004-x64
106fd711c9c2...c6.exe
windows7-x64
106fd711c9c2...c6.exe
windows10-2004-x64
106fe5c591a1...4a.exe
windows7-x64
106fe5c591a1...4a.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:12
Static task
static1
Behavioral task
behavioral1
Sample
6ea09dc024349dc98b36f4ace0dd0fbf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6ea09dc024349dc98b36f4ace0dd0fbf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
6ea800eee1fc82ad358d35a7fde8ccd12b93a783300c4a97f7b8a7abcc7d7383.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
6ea800eee1fc82ad358d35a7fde8ccd12b93a783300c4a97f7b8a7abcc7d7383.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
6ec1c209b158ca6a09569dab997a10da.exe
Resource
win7-20250207-en
Behavioral task
behavioral6
Sample
6ec1c209b158ca6a09569dab997a10da.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
6f0c3386f12f5dee87b51bce9d5ac5500d5f173dd6c541b97aaac3bcd4abb9bf.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
6f0c3386f12f5dee87b51bce9d5ac5500d5f173dd6c541b97aaac3bcd4abb9bf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
6f46a588081210caf9fc5f69f68daa1eb869bfb5658baaa201c7d9f466e3a00c.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
6f46a588081210caf9fc5f69f68daa1eb869bfb5658baaa201c7d9f466e3a00c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
6f6b7ee9a4b8c657931ecaacd04849db.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
6f6b7ee9a4b8c657931ecaacd04849db.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
6f723cd9002531ad31487e588d1132bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
6f723cd9002531ad31487e588d1132bc.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
6f7e5a757226029c4770683df8125105.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
6f7e5a757226029c4770683df8125105.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
6f8921f28520259dde636ae0740e643e.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
6f8921f28520259dde636ae0740e643e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
6f9568a7c563f84e4331fd0954d9ad321f41199035067dca004e1c927c1989ba.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
6f9568a7c563f84e4331fd0954d9ad321f41199035067dca004e1c927c1989ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
6f9d1b3820144f3c5df2673cd155bfe0.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
6f9d1b3820144f3c5df2673cd155bfe0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
6faa2d85ae06f7888287bec8ae3e079b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
6faa2d85ae06f7888287bec8ae3e079b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
6fd711c9c2d9499442df85e477e670c6.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
6fd711c9c2d9499442df85e477e670c6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
6fe5c591a1fbdd543b030912700b164a.exe
Resource
win7-20250207-en
General
-
Target
6f6b7ee9a4b8c657931ecaacd04849db.exe
-
Size
78KB
-
MD5
6f6b7ee9a4b8c657931ecaacd04849db
-
SHA1
aadc1272891324493ad099c65e72a7bff8b2fd0b
-
SHA256
11fb7846090fb2e23cba8a66b1e5e605072aab6580cb9103f9d3e89205826a1a
-
SHA512
3c64218ed10eec552f198b17289aced5feaefec0c6ca8b1f25ed7f7e2cc1cab3fa98202f8bf0590810131c0cf12c38e5e9cd772170b5eb73873af7d8b12e7074
-
SSDEEP
1536:NPWtHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/q1zv:NPWtHFo53Ln7N041QqhgD9/o
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2676 tmpE6D6.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpE6D6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f6b7ee9a4b8c657931ecaacd04849db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE6D6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe Token: SeDebugPrivilege 2676 tmpE6D6.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1600 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 30 PID 2080 wrote to memory of 1600 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 30 PID 2080 wrote to memory of 1600 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 30 PID 2080 wrote to memory of 1600 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 30 PID 1600 wrote to memory of 2884 1600 vbc.exe 32 PID 1600 wrote to memory of 2884 1600 vbc.exe 32 PID 1600 wrote to memory of 2884 1600 vbc.exe 32 PID 1600 wrote to memory of 2884 1600 vbc.exe 32 PID 2080 wrote to memory of 2676 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 33 PID 2080 wrote to memory of 2676 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 33 PID 2080 wrote to memory of 2676 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 33 PID 2080 wrote to memory of 2676 2080 6f6b7ee9a4b8c657931ecaacd04849db.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe"C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bllaubtd.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECDE.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fc01fe7a0a0753c0604c89cf4b2b7455
SHA19d2e402bd6f2f994a262f9ccf783c326aa40a7bc
SHA2562223fe8c36d828e63f232713d9ab31e94f9dc7b1fbcc7a91a5b7bcfbf3f25084
SHA51255a9f2d4204302a13ad2b0cae55322dce8f6cb1da6f94bdca571d51501ce6b61e5c6bde7847857aae23095283b4a749a3827939784c1a01759e50f192bc172f4
-
Filesize
15KB
MD57e094819f5eee24cf1b3864d9d3a9ab5
SHA143b612055ce9450446bcf41a882614667f1ce799
SHA2569c37c519f38ef66713837be6e8ac169fedd07f77745447df4a9243a2972ee86e
SHA5123f945879cab316ed5c7e121fc41f4d96d7ab0eafa2c0f948335534054a6fa3114289c65232002e54459c5f8d1353c5908fccf1dd6964ca058df64c9a82136ad6
-
Filesize
266B
MD5447dd73d2c71d124302accf59625dd2c
SHA12fc59a8ab1be04f0f671cdc908d33f0db4517f58
SHA256d815cb7751755355153ee9f5737c0ef5b9f8cb4379aa747029f580868d216a79
SHA5122154b579f141ac207b634a6af25e07b0c649a73a10048965720cb5ac8b965a6050708bf41c4d6aa181bc57c90a7f59587215e1f932b1d332e9bf79c7986dc6c0
-
Filesize
78KB
MD538cc025cf90bc8d97b1fb89553f2c8af
SHA184a377f24c68174bbe7fa28b0a73b59743122f1b
SHA256d360c3fddcb5cd4190f1cfad4530a69afde2d8a24b0dcd8eb6412db57a1fc371
SHA512e82bf05836c5d5ea59c652ea12fb1eeac9157c998ff531d5be8037d672f299e020c253c627a2ff23fcf83614a8f82f86184ee0fef146524c9f15b7e2231779fd
-
Filesize
660B
MD57a2f5768bbc515c287385dded1e62ae9
SHA13fbc8683f5d394600245688397877146e93f03a4
SHA256dc3abb4f834543ff78371c0756796edcd69936bfb2cff7869655a9f7052333b2
SHA512a6147fba56ac3a317ae6e21b0c19bbcabf946769d78af560bf5464d4daf1e380c9e461f7522a96d661109bac58f07dba13e4ff5f1fe76e4b5d1ce35fec4af81b
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65