metamorpherrat | 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e

Analysis

max time kernel
4294218s
max time network
164s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
Size

78KB
MD5

00831c7277e51a7a3e765c58f685914d
SHA1

ca2d1a0ddbd19a14ae31bf3a7132e1874fa2980f
SHA256

4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e
SHA512

4fb8f37453152c5dd9f795c5908da8ca9445682f52c7a77c369ecd3b1200fba673eb803993c939e8169d6340929307c42fa139016ca62ec44ad4e79e0bb1e85c

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp62E8.tmp.exe

pid process

1812 tmp62E8.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp62E8.tmp.exe

pid process

1812 tmp62E8.tmp.exe

pid	process
1812	tmp62E8.tmp.exe

pid	process
1812	tmp62E8.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe

pid	process
1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp62E8.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp62E8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exetmp62E8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
Token: SeDebugPrivilege	1812	tmp62E8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exevbc.exe

description	pid	process	target process
PID 1568 wrote to memory of 1076	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	vbc.exe
PID 1568 wrote to memory of 1076	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	vbc.exe
PID 1568 wrote to memory of 1076	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	vbc.exe
PID 1568 wrote to memory of 1076	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	vbc.exe
PID 1076 wrote to memory of 1752	1076	vbc.exe	cvtres.exe
PID 1076 wrote to memory of 1752	1076	vbc.exe	cvtres.exe
PID 1076 wrote to memory of 1752	1076	vbc.exe	cvtres.exe
PID 1076 wrote to memory of 1752	1076	vbc.exe	cvtres.exe
PID 1568 wrote to memory of 1812	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	tmp62E8.tmp.exe
PID 1568 wrote to memory of 1812	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	tmp62E8.tmp.exe
PID 1568 wrote to memory of 1812	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	tmp62E8.tmp.exe
PID 1568 wrote to memory of 1812	1568	4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe	tmp62E8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
"C:\Users\Admin\AppData\Local\Temp\4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jt_x4soz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES645F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc644F.tmp"
3⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES645F.tmp
MD5
b04932225837b9fb8cb68ecdf6eb9bf6

SHA1
40914903b544e8b4ad030becacb4da28761b1e50

SHA256
4acae9254df550c4831fee242c883aaeac2ebaa74d243a2e48eb818c045a026f

SHA512
fe75e3d55141142fb59f2cbc7625c03f33a97b88aa8b38b9d8f8fa236f54b41ccdfb86aa54d0a798869cb7ac2942126da654f8d2159c48f93187a40bd849c45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jt_x4soz.0.vb
MD5
ce86c599de05f57cce31e8fe1bed87cb

SHA1
14560e2b664a4cce550fb3c959133e72f85e20ff

SHA256
1154e82a9af6b6f1a561915a09fe415f53c6985044e3a873de7c262fd9af33af

SHA512
66100c62c8ea6093a60b7d51aa3eb378bdbfa8f579eab3f95a72a73df5d9325b76f38c9d7ccd395213247f543a1641a36382fe51bf09ce1be1af95452276a624

Download Submit
C:\Users\Admin\AppData\Local\Temp\jt_x4soz.cmdline
MD5
5dfb107cec41e2b4438246fa17212530

SHA1
1397a7ca4675d8ef451def4cc2c0c769d346f3ba

SHA256
fa7a126b3cc6149abc876006c01b8022974bdb7287dda929c49021520170c667

SHA512
934ac2b29cb49dc8f9ab01c376944d7cf03902bf75c9a70361b13cdfda5b176c13da6ba6e0e76bd026a17a5a294637dfadfb0a3a1fd58e9e29c240cf88c69f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe
MD5
cc773c8eba9e12da13dae12d89e84e0d

SHA1
c6a5984b888e214c5f69ff4ed9698d34da97dd59

SHA256
e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9

SHA512
5e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe
MD5
cc773c8eba9e12da13dae12d89e84e0d

SHA1
c6a5984b888e214c5f69ff4ed9698d34da97dd59

SHA256
e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9

SHA512
5e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc644F.tmp
MD5
d2e7e47f16c587209b522ac671d310a2

SHA1
293ee556e9f02957c813aeb35f65ca38d11f574c

SHA256
1f451ea45b805db12c96b455d43266e468606ef1cef9ceb4e35db3b1dabd3bd4

SHA512
50411338981dd572abb019daabbe0076317f9dca72cef341fcaeea04a634d078ac4dc19cbef82894066a8699c4cc6a742aa94f8194a7bba219b57606f573ae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe
MD5
cc773c8eba9e12da13dae12d89e84e0d

SHA1
c6a5984b888e214c5f69ff4ed9698d34da97dd59

SHA256
e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9

SHA512
5e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df

Download Submit
\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe
MD5
cc773c8eba9e12da13dae12d89e84e0d

SHA1
c6a5984b888e214c5f69ff4ed9698d34da97dd59

SHA256
e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9

SHA512
5e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df

Download Submit
memory/1076-55-0x0000000000000000-mapping.dmp

Download
memory/1568-58-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-54-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1752-60-0x0000000000000000-mapping.dmp

Download
memory/1812-66-0x0000000000000000-mapping.dmp

Download
memory/1812-69-0x0000000074A10000-0x0000000074FBB000-memory.dmp

Filesize
5.7MB

Download
memory/1812-70-0x00000000001B5000-0x00000000001C6000-memory.dmp

Filesize
68KB

Download