metamorpherrat | 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Size

78KB
MD5

ec1f806b2ca57c3c03be303890c6fd65
SHA1

7d48e0cb19d60dfe2a3a04aef63c57482a024c97
SHA256

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8
SHA512

78d31f7738d47a65952ee6315f4a3ab25f35d47eed4b4832fbfe890c1b286dca1ae42dc9721b5ffa6a0ff3c0576bf621964d384d977b2851433e20538b57f0d6

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp2E8F.tmp.exe

pid process

760 tmp2E8F.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp2E8F.tmp.exe

pid process

760 tmp2E8F.tmp.exe

pid	process
760	tmp2E8F.tmp.exe

pid	process
760	tmp2E8F.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

pid	process
1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp2E8F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp2E8F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exetmp2E8F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Token: SeDebugPrivilege	760	tmp2E8F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exevbc.exe

description	pid	process	target process
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
"C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2r1isa_y.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2r1isa_y.0.vb
MD5
6092d0095dcfcf393ac4d4b70e17aa98

SHA1
1b9b507375b75ab61452891e6ebe3ef5c87a76ea

SHA256
bb91af829ac9047a100bc7fbafaef6c927463ff20e9c52e22e8392b5a90a162c

SHA512
b9603cefca23ca1df8a6094b679dc3fc8802315cd95d2a9756745dec1dbe11d5b88806f1284ddcd5e0c8898045e9164d5a6e7a963ae12cc2757df3d89a70a3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2r1isa_y.cmdline
MD5
a298fdc9c62e44c91ed41e4505da5a17

SHA1
dbb6289bf74f229eb0b121505fc78a3282df7c95

SHA256
b51c56094f8b5261c5b7a2c9a88d36764b4d5d1eb71df81ff793928b792d1575

SHA512
5e2e194a63a9c0f0b3706d416f3eb44d3a2d2246261e33656fd605714d6c55d2bb2fab9e653fa0cc5dab4d6da1390ce69b6d0a99c2757b032694b8188b810a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3035.tmp
MD5
8a769eb80ef4228d683e19762431062c

SHA1
27566ac3291180acbcc95febbdd7e7779070d741

SHA256
d638c25b58acbadb490ce4bed02dba3ef62fe9f0dafd0825fff87d63772bfd76

SHA512
3e99144b95410011499c47b19f9fa476ad55ce6580362f7ef3cc4ea978fd6da4f3069fbbb417cbdb0667ea1474f1757d0038824983a7e15b7f081aa3a2651d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp
MD5
423d2a2a25e154d49869fa5828ef80d4

SHA1
54c5b17a3fae95cc152978be3ec32d4d762a2509

SHA256
b086c3d35cbc19f023bcc6b3ac809a5ca318493aee765d9c2b2c799026c3d25f

SHA512
3b8e1114c57939b49b0864f18b80cb56e73d4397902b0fbdcda1fffc4b37970e87cca50b5dc65a7ab945bb6ef75457bc31f3739f30900ab9e2959f51015e9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
memory/760-14-0x0000000000000000-mapping.dmp

Download
memory/760-18-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/760-19-0x0000000000485000-0x0000000000496000-memory.dmp

Filesize
68KB

Download
memory/1704-8-0x0000000000000000-mapping.dmp

Download
memory/1932-4-0x0000000000000000-mapping.dmp

Download
memory/1932-17-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1968-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download