metamorpherrat | 36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623

Analysis

max time kernel
4294228s
max time network
182s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe
Size

78KB
MD5

0058d423a88181d77fdf49adf4261264
SHA1

0a84f8e2cd285ab5227ea8908f99f3a698fc945e
SHA256

36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623
SHA512

bc2b63ad53c6eeb1bdc2485e44a0f3243be4e3de7ddb16a660ecebdf9c67198f521feb0288cdef151c41fafa0cbd7e90e3560d25bb7ab0cd8e2e84069e2719b2

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp7E06.tmp.exe

pid process

108 tmp7E06.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp7E06.tmp.exe

pid process

108 tmp7E06.tmp.exe

pid	process
108	tmp7E06.tmp.exe

pid	process
108	tmp7E06.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe

pid	process
1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe
1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7E06.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7E06.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exetmp7E06.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe
Token: SeDebugPrivilege	108	tmp7E06.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exevbc.exe

description	pid	process	target process
PID 1876 wrote to memory of 1208	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	vbc.exe
PID 1876 wrote to memory of 1208	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	vbc.exe
PID 1876 wrote to memory of 1208	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	vbc.exe
PID 1876 wrote to memory of 1208	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	vbc.exe
PID 1208 wrote to memory of 1604	1208	vbc.exe	cvtres.exe
PID 1208 wrote to memory of 1604	1208	vbc.exe	cvtres.exe
PID 1208 wrote to memory of 1604	1208	vbc.exe	cvtres.exe
PID 1208 wrote to memory of 1604	1208	vbc.exe	cvtres.exe
PID 1876 wrote to memory of 108	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	tmp7E06.tmp.exe
PID 1876 wrote to memory of 108	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	tmp7E06.tmp.exe
PID 1876 wrote to memory of 108	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	tmp7E06.tmp.exe
PID 1876 wrote to memory of 108	1876	36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe	tmp7E06.tmp.exe

C:\Users\Admin\AppData\Local\Temp\36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe
"C:\Users\Admin\AppData\Local\Temp\36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z45_7ek1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FF9.tmp"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\tmp7E06.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7E06.tmp.exe" C:\Users\Admin\AppData\Local\Temp\36c0a7fbf56bbb75b559e80b2da4fedf275ce2ab229fa4371ec44e77365ea623.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FFA.tmp
Filesize
1KB

MD5
0091e4241f588ae1ac18afe06233c2d2

SHA1
268283b9ebb152ed098448986ea83e1282d8d14e

SHA256
fbdebb249d9490e96fef308fb4d26545ad5997104349ac21a03555140d413299

SHA512
cd409a71cf66750d2d26fd309ae06de621562ac9b83cb2268f601dc15089e16edc370e22e63c749ee44c9ad680e28ee1b2ffbd04582fb9fad7016c4f767293e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E06.tmp.exe
Filesize
78KB

MD5
dbf89dfd185a925dd49a724c0524a1b5

SHA1
8343928e242cb0af72ab56a59dd555e3275fe026

SHA256
7d8cb9053db60dcb243b7996ce47a1a142c30c835283adab5737f4e3d683a37f

SHA512
e6d05d600c79e96eceb48062f6823b005ea8b4609d07148e6b3591f87a7b392143868dfc2aa4c2a30b556f3e948e4a41f7cf1e13b7d98cc307c19d03b7b9461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E06.tmp.exe
Filesize
78KB

MD5
dbf89dfd185a925dd49a724c0524a1b5

SHA1
8343928e242cb0af72ab56a59dd555e3275fe026

SHA256
7d8cb9053db60dcb243b7996ce47a1a142c30c835283adab5737f4e3d683a37f

SHA512
e6d05d600c79e96eceb48062f6823b005ea8b4609d07148e6b3591f87a7b392143868dfc2aa4c2a30b556f3e948e4a41f7cf1e13b7d98cc307c19d03b7b9461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7FF9.tmp
Filesize
660B

MD5
afc31251046d85469c6e822b08f37927

SHA1
5e18b251f3d4b4e5426566aeccc9421aea9a6821

SHA256
3e719206a52ffd98323f742837b4e11cfb797914c5faee5fd5cce62de43d1086

SHA512
6b498fd8caf81094fc8930235f231fa35b91ae59a960ca163075fc4e669b4dc8f619e47743ac7edc224d1f2f848b236ea5ab90dcc99106c9271b01e357a21124

Download Submit
C:\Users\Admin\AppData\Local\Temp\z45_7ek1.0.vb
Filesize
15KB

MD5
046cdb4eda2305189d19fe2e2202b5f8

SHA1
b21670ad8b2ebf36899d002976d3ce59f2401c3a

SHA256
13f795735330a19463419b06671ead436746f6ef96269c1f7af947267c1eab62

SHA512
ae9884eba45c86582eecdc18be13501ca2385185129860114203a51109eb9d4431d2ac12ad3e22efaf2cd962d3e353726054f4ef7998b33fe91d2706ff38003e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z45_7ek1.cmdline
Filesize
266B

MD5
9c436588e3cf8253e6b9655fdd04776c

SHA1
3f7d6997466164a8aad23358e964ca704e8d4e09

SHA256
2d6a72da1794432439a69233670a0c782996906567bc27ace57cc834dd9b3fcc

SHA512
52cb30e40272a2fad60a3df9f4701923756f41ed794d6b8dc3f9e6c82c9882200b7bb12ac938133f932f4191849a5782d1ef75798b7d64fe20d6fa15522bdfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7E06.tmp.exe
Filesize
78KB

MD5
dbf89dfd185a925dd49a724c0524a1b5

SHA1
8343928e242cb0af72ab56a59dd555e3275fe026

SHA256
7d8cb9053db60dcb243b7996ce47a1a142c30c835283adab5737f4e3d683a37f

SHA512
e6d05d600c79e96eceb48062f6823b005ea8b4609d07148e6b3591f87a7b392143868dfc2aa4c2a30b556f3e948e4a41f7cf1e13b7d98cc307c19d03b7b9461f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7E06.tmp.exe
Filesize
78KB

MD5
dbf89dfd185a925dd49a724c0524a1b5

SHA1
8343928e242cb0af72ab56a59dd555e3275fe026

SHA256
7d8cb9053db60dcb243b7996ce47a1a142c30c835283adab5737f4e3d683a37f

SHA512
e6d05d600c79e96eceb48062f6823b005ea8b4609d07148e6b3591f87a7b392143868dfc2aa4c2a30b556f3e948e4a41f7cf1e13b7d98cc307c19d03b7b9461f

Download Submit
memory/108-66-0x0000000000000000-mapping.dmp

Download
memory/108-69-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/108-70-0x00000000004A5000-0x00000000004B6000-memory.dmp

Filesize
68KB

Download
memory/1208-55-0x0000000000000000-mapping.dmp

Download
memory/1604-60-0x0000000000000000-mapping.dmp

Download
memory/1876-58-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download