metamorpherrat | 0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810

Analysis

max time kernel
130s
max time network
139s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
Size

78KB
MD5

9b4497259f9f858244023de231400892
SHA1

08600ea0e22ae8e5168ec56a359d75ae2cf9b413
SHA256

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810
SHA512

777ffca5982119d346d601c4a6b2e4cefae9e5c05b29312c0676d6ed45478d829524ff3a14885a6fc2e4a27235ad897021342b71665f890ccca2a575397432a4

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp2BD1.tmp.exe

pid process

1968 tmp2BD1.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp2BD1.tmp.exe

pid process

1968 tmp2BD1.tmp.exe

pid	process
1968	tmp2BD1.tmp.exe

pid	process
1968	tmp2BD1.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

pid	process
1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp2BD1.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp2BD1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exetmp2BD1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
Token: SeDebugPrivilege	1968	tmp2BD1.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exevbc.exe

description	pid	process	target process
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
"C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ck5jwbqb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D57.tmp"
3⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp
MD5
a6c08b890d32d7db8d871d26bb4df0dc

SHA1
a18632fe19a6229ac5963ca78d81e0e87c375b2c

SHA256
2639f0319f8557b0025c127539134ca90f565140f20a7afc8733c96a194ca69b

SHA512
b64ca6da3f8ec3cb8d0413ca3bd79d96cd23a855e30d01e1f52625b6e3adcbc0ce2897f8a86afee4025e30b8a9a4d72895bcf4e2d05dab7d366f38ced2172ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck5jwbqb.0.vb
MD5
c1b7849fc94d6f6507eb6676137e2eb1

SHA1
6084e0066a8c3929fe1dd43f2ba107b3a37cc141

SHA256
e3088e183274a2cb5af6eb314a1a13208b307842c6579578e91c7d2f5c6ebd22

SHA512
5a8f4fb536ad6599c5c45d553d2bb015bf047f490cdfca528a9af9f87b6671366fa3a330c7a9ab6d58155bed2d99a7447e3bad394f612efef7efbd4c5c247b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck5jwbqb.cmdline
MD5
295ae4f3e7f7495720992cbfa73a9d2f

SHA1
0848b8684018ab8f30970d7876aa6dd57db0ed96

SHA256
00d7a97565c63140c012329d3708449ae441e07965b486a01f025b381ee7ec02

SHA512
fb3e9eda08ef420cb0610adcf759634ad39d1454a62eed30acc93b31ede893ee4455a7f754afa683084fb31e5c63a6b2ca0cc01efed5f0bd4a67320f28834069

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D57.tmp
MD5
26fa5c1f118555393f5ad1c4d48762d0

SHA1
d7c42746042b724244d642511a7d4bb8b7706fca

SHA256
153f2fbddb37ab6c58e0d7ab0792d9c66bb047c72a7bc14428f72df9a84d1ccf

SHA512
25ef13621b88e9a74797601b6106c12d77120eed492a9d9c102a94db74a924c9d9faa48f242cbcd3120a30436443d6ac2c51fca166115ce68fa9a5276ea579af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
memory/1172-7-0x0000000000000000-mapping.dmp

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1724-11-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1900-12-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/1900-3-0x0000000000000000-mapping.dmp

Download
memory/1968-15-0x0000000000000000-mapping.dmp

Download
memory/1968-18-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1968-19-0x0000000001F15000-0x0000000001F26000-memory.dmp

Filesize
68KB

Download