metamorpherrat | 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d

General

Target

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
Size

78KB
MD5

0106ede4fe7c8704ea04b3f66c5d80d6
SHA1

59d774bed7c7c8f76de7fa436e238413870d16b6
SHA256

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d
SHA512

8ed68cc9a26eb9ce1f9fd0d70ae0d0a6ba91c3d3cc3a2feb730957556f981edbcf41841815220552aedffcf85b1d967442e9d7fe9fd8f5a20ef19d1f7340439e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp8A54.tmp.exe

pid process

3128 tmp8A54.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp8A54.tmp.exe

pid process

3128 tmp8A54.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3128	tmp8A54.tmp.exe

pid	process
3128	tmp8A54.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8A54.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8A54.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exetmp8A54.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
Token: SeDebugPrivilege	3128	tmp8A54.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exevbc.exe

description	pid	process	target process
PID 1812 wrote to memory of 3840	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	vbc.exe
PID 1812 wrote to memory of 3840	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	vbc.exe
PID 1812 wrote to memory of 3840	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	vbc.exe
PID 3840 wrote to memory of 708	3840	vbc.exe	cvtres.exe
PID 3840 wrote to memory of 708	3840	vbc.exe	cvtres.exe
PID 3840 wrote to memory of 708	3840	vbc.exe	cvtres.exe
PID 1812 wrote to memory of 3128	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	tmp8A54.tmp.exe
PID 1812 wrote to memory of 3128	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	tmp8A54.tmp.exe
PID 1812 wrote to memory of 3128	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	tmp8A54.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
"C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xpglucq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB76B2E4B635547FF9CF8AB1DC113EC2.TMP"
3⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7xpglucq.0.vb
MD5
50ea8ebb497f72c885d4185e51cee7b3

SHA1
3dcad645f1b64671c62de547f62388e80963b6cc

SHA256
0577e08a48f0d5701f60ba6e3105010c90bf384912f931439eecb48521c0a997

SHA512
128de8970052c7489c8f67c588cbe73dcc5327cfdade215e67564522ee6f63bd477398aa7bce4ba847a8f1c3820a9d4fa85fd84058e39270299edc03aa311a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7xpglucq.cmdline
MD5
54ea6e58b11aa2cd3d0d176507315b25

SHA1
238f63fab5e26c5ddfe13895538753b921099600

SHA256
0d090835f10712282e1fd9af159f34a13083685a511cab0279610920ba142396

SHA512
b297ef338247eff314ea3617f063851617afd148a33bed5ec3e09e70e5dca94d887b9779470060683288fe1fd3c4eb859c32a5ad2e5692d618ff364030ace118

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmp
MD5
dcf7a8b0609b81fbb066e43c875b5e44

SHA1
c4931cf18e5519f55b137d715cc3c181ff5a806d

SHA256
3a2afcc231b74bce5a7670e39e7cd4cc04b27b1dccb0cfbc891275efbb12585d

SHA512
ed4d10ed15a76b437f81acea18c0e6b27ef25c488efdd8ccad22ef2100aeae182f562b4f4370f3ace39ba1f29af3a8a60050392ae5a1b55560608a6a4303f413

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
MD5
387a86d366dde8ec42ff8a8416a2197a

SHA1
ed64e75c87eac03b2ec4a3505261b7f0d8760b14

SHA256
d985674ad482d289da2819c5c9c722777a3fdcbaefa444db31c41231fe362e46

SHA512
fe3c6c91e47e0b935042ea00b1cbc50129c9f096642412d7f68257ed4f31fefeeab1d5cb8e51c2af3f2aa212708b1c2272d86f7d855c228b616b213e05802b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
MD5
387a86d366dde8ec42ff8a8416a2197a

SHA1
ed64e75c87eac03b2ec4a3505261b7f0d8760b14

SHA256
d985674ad482d289da2819c5c9c722777a3fdcbaefa444db31c41231fe362e46

SHA512
fe3c6c91e47e0b935042ea00b1cbc50129c9f096642412d7f68257ed4f31fefeeab1d5cb8e51c2af3f2aa212708b1c2272d86f7d855c228b616b213e05802b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB76B2E4B635547FF9CF8AB1DC113EC2.TMP
MD5
4026604773f1ed9d748c28cf5f39430d

SHA1
5977d4b52403bd41989b62964b34c32ff272b869

SHA256
5f7e9c93b30ebd23356736628c0f6152b05ea0c3049cef76268a58fe733b797d

SHA512
9df5346db274199b8a07990cb802c2914f2d8302a973a3dd95ecfd1a1641027937d5e3ff1d9e4cff44f07bdaa3968d27c641e4be8d94b073675d5f187ce6d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/708-7-0x0000000000000000-mapping.dmp

Download
memory/1812-2-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3128-12-0x0000000000000000-mapping.dmp

Download
memory/3128-14-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3128-15-0x00000000005D3000-0x00000000005D5000-memory.dmp

Filesize
8KB

Download
memory/3840-11-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3840-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads