metamorpherrat | 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d

Analysis

max time kernel
4294225s
max time network
179s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
Size

78KB
MD5

04e454128c1c477e2914a1c7dc1a17bf
SHA1

e889def714072b3953bc7929e920ce445ba46609
SHA256

337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d
SHA512

99ee57634d2b19a6dbc560e24ef31ceebe1df74ce2b8c462391cf62698d8e2192822c8e96c34ed21d842b7a494657c156760c78faf093b649c0fa00d1da1f9c2

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp7E25.tmp.exe

pid process

1032 tmp7E25.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp7E25.tmp.exe

pid process

1032 tmp7E25.tmp.exe

pid	process
1032	tmp7E25.tmp.exe

pid	process
1032	tmp7E25.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe

pid	process
1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe

description pid process

Token: SeDebugPrivilege 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe

description	pid	process
Token: SeDebugPrivilege	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exevbc.exe

description	pid	process	target process
PID 1216 wrote to memory of 992	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	vbc.exe
PID 1216 wrote to memory of 992	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	vbc.exe
PID 1216 wrote to memory of 992	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	vbc.exe
PID 1216 wrote to memory of 992	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	vbc.exe
PID 992 wrote to memory of 1660	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 1660	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 1660	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 1660	992	vbc.exe	cvtres.exe
PID 1216 wrote to memory of 1032	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	tmp7E25.tmp.exe
PID 1216 wrote to memory of 1032	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	tmp7E25.tmp.exe
PID 1216 wrote to memory of 1032	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	tmp7E25.tmp.exe
PID 1216 wrote to memory of 1032	1216	337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe	tmp7E25.tmp.exe

C:\Users\Admin\AppData\Local\Temp\337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
"C:\Users\Admin\AppData\Local\Temp\337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_jz4mef.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F7C.tmp"
3⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe" C:\Users\Admin\AppData\Local\Temp\337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp
Filesize
1KB

MD5
c9bc2c0f1b16d6898dc400fffc1c0b93

SHA1
edaa493d9bedaf7bfec8c727e3e81047869f6dd5

SHA256
d03888ba45646c0cc9595f6ac03ea7edaf5a917df2df106eb79107c17a573d5a

SHA512
485665e57987bdb2bf9217b5f74e062749212bb6359ccf93e67996f8d6c9e03b0d0f90603fb8ff972c98b9ae3c7f0e420fe93feafa49dc8ee96650c0ac7532cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\n_jz4mef.0.vb
Filesize
15KB

MD5
c5a0a3107a597f98bdf34887ce5ad36a

SHA1
cf8152bcf9863dfa16dc2bb2f9a5f1ace7a9cfe7

SHA256
e8ae451d9c670aa76f50032996d1520edb2ab0b889eafd0706a9f29e417306f2

SHA512
79d60b2ff022258a927e7235d4724142c0c79c83202de385a0bb8ee6e09e4271ece0d7bd600966b58b9975d48637eb0db72b4f38a876c39e634a61e08c870428

Download Submit
C:\Users\Admin\AppData\Local\Temp\n_jz4mef.cmdline
Filesize
266B

MD5
583d5b4e83406bf8016714e01d51a6d8

SHA1
8a82756f0399ca9dd8ab488b9f56e0abcf34635f

SHA256
a3822c8579eb2f9095a06d1f9ca2d49a376608c526565a888a897bb31a8a04bc

SHA512
adca7e18176a7fb0f1bfb32d7ca1e0e45629904bfa2f7c0fa62c85c909ef2c48de336ce1f108781d7884e18da32ebcb0abc19a2a07ef70f043b50e903a634e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe
Filesize
78KB

MD5
d91f038eaa69859c56be8230e1bdc86d

SHA1
4e6a425307a7975fab9651e77893cf42f2c1a24a

SHA256
3e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad

SHA512
88e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe
Filesize
78KB

MD5
d91f038eaa69859c56be8230e1bdc86d

SHA1
4e6a425307a7975fab9651e77893cf42f2c1a24a

SHA256
3e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad

SHA512
88e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7F7C.tmp
Filesize
660B

MD5
f3fcaea832fcd79ba0ead100076535bb

SHA1
916bf91d857352838a873d8df4a659e0eb0a8886

SHA256
bd63af8195746222e569b59dabcdfa3a687062d87a93381bd8b20a417a78b058

SHA512
a2a3007e1e80b367cf1fc6947e68f40b7f9366cd5c3aac74d4e478b816c7328b663124be6d90f9a8847e9da975e471345d64afa9ea60ac9e7c8020855f785abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe
Filesize
78KB

MD5
d91f038eaa69859c56be8230e1bdc86d

SHA1
4e6a425307a7975fab9651e77893cf42f2c1a24a

SHA256
3e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad

SHA512
88e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe
Filesize
78KB

MD5
d91f038eaa69859c56be8230e1bdc86d

SHA1
4e6a425307a7975fab9651e77893cf42f2c1a24a

SHA256
3e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad

SHA512
88e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45

Download Submit
memory/992-55-0x0000000000000000-mapping.dmp

Download
memory/1032-65-0x0000000000000000-mapping.dmp

Download
memory/1032-69-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-70-0x0000000000AD5000-0x0000000000AE6000-memory.dmp

Filesize
68KB

Download
memory/1216-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1216-66-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-59-0x0000000000000000-mapping.dmp

Download