metamorpherrat | ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962

Analysis

max time kernel
4294210s
max time network
157s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
Size

78KB
MD5

00fd8f3d1b855717213460550c2f09f9
SHA1

d4475c42754dcf04d648741efe6bb195978bbcbd
SHA256

ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962
SHA512

5497ef18c6973c2e1b3eaa85270f5739069cf23e05d21a0de2e2fabc8c19fcc59b3dfc1ee0dc293d441da8fdec35ca9656d3df328f8804ef6a8b73f8ccb354de

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp4682.tmp.exe

pid process

1468 tmp4682.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp4682.tmp.exe

pid process

1468 tmp4682.tmp.exe

pid	process
1468	tmp4682.tmp.exe

pid	process
1468	tmp4682.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe

pid	process
1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp4682.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp4682.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exetmp4682.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
Token: SeDebugPrivilege	1468	tmp4682.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exevbc.exe

description	pid	process	target process
PID 1844 wrote to memory of 2020	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	vbc.exe
PID 1844 wrote to memory of 2020	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	vbc.exe
PID 1844 wrote to memory of 2020	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	vbc.exe
PID 1844 wrote to memory of 2020	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	vbc.exe
PID 2020 wrote to memory of 1208	2020	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 1208	2020	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 1208	2020	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 1208	2020	vbc.exe	cvtres.exe
PID 1844 wrote to memory of 1468	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	tmp4682.tmp.exe
PID 1844 wrote to memory of 1468	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	tmp4682.tmp.exe
PID 1844 wrote to memory of 1468	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	tmp4682.tmp.exe
PID 1844 wrote to memory of 1468	1844	ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe	tmp4682.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
"C:\Users\Admin\AppData\Local\Temp\ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jonphqse.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47CA.tmp"
3⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES47CB.tmp
MD5
a9a553d28a38af4877e8739549655a71

SHA1
c38cf2c1305f6c2e0445521924dd7074686bfc2d

SHA256
47eef426a66802f92bca9a6761fbd24742b3cbf60efe20f7bbd59a7cafe3198a

SHA512
f5d2bed99a1bdcfcacaf41ecaf01a3c1049052a017f2e8cabad1d2b25bee036291e8c33050328d6c0526c259e5367c832f119433da2f51f92e75218b18be878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jonphqse.0.vb
MD5
e0abfb42fb57daceb7ed0f7e42c23b73

SHA1
78b3ce95938f6d9e26d79309902b829749f9e3f6

SHA256
ddf4fda73f5b711fb44aab8ee4e5af395e85faaf6efdc8bd88b77bfdacd69073

SHA512
91b28e238eb603ea393d0f4ab6a2f69e03424d8eb0b692769b8d5779721ed1c54edb170c1a70c809339e15af576863cf6842fd07c9ff29da501c116ba069a1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jonphqse.cmdline
MD5
2c9979bcfe67c0b2351c33489c61cf65

SHA1
dc54ac8ef605be9b6570f25a80fab8f07badf562

SHA256
95a8e5c5973cc94bbb5aa1df9320000450b8572fa21a2e8f45cd9d3c22700dd5

SHA512
99d8379741013916938ceadd5b89f088cb0bf1a6efb11682ad420b286d78d634e771aed2780a117f2b564d9d7e4376029518d524026a9f05f4b53765535eef7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe
MD5
45f7d273826a2f77b46090cc94895577

SHA1
5e662b8859898cce615c5128e4534fbadc00e990

SHA256
5dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6

SHA512
6fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe
MD5
45f7d273826a2f77b46090cc94895577

SHA1
5e662b8859898cce615c5128e4534fbadc00e990

SHA256
5dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6

SHA512
6fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc47CA.tmp
MD5
05551a7d7f030349cf38b4c522224b35

SHA1
72717f2bc5c661bdff4bfb8529d183aa96740585

SHA256
8020bd0425ec872f6e24e5689e018ec99819f79417c95352a71100fb0fa8d3b2

SHA512
1f5b61c01d6276167158ccc19045ab5d9953074f5a1d377329a16aaf6c6dfe4e816c50fb86a7f9efb6181560a98a8d0a0421808fcd2ab8071f06e13221c98224

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe
MD5
45f7d273826a2f77b46090cc94895577

SHA1
5e662b8859898cce615c5128e4534fbadc00e990

SHA256
5dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6

SHA512
6fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe
MD5
45f7d273826a2f77b46090cc94895577

SHA1
5e662b8859898cce615c5128e4534fbadc00e990

SHA256
5dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6

SHA512
6fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77

Download Submit
memory/1208-59-0x0000000000000000-mapping.dmp

Download
memory/1468-66-0x0000000000000000-mapping.dmp

Download
memory/1468-69-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/1468-70-0x0000000001E85000-0x0000000001E96000-memory.dmp

Filesize
68KB

Download
memory/1844-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1844-63-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download