metamorpherrat | dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be

Analysis

max time kernel
4294217s
max time network
166s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe
Size

78KB
MD5

d20090c79abb96f344068613e31b6128
SHA1

e337f9f25ca800108d0252d7cafa2595886ea71e
SHA256

dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be
SHA512

5360b368753268e233bbe07529d6adda4a09f552e6fedc3eb1f93c98f165f8413d10985fab7614a24a81c7f2a904622ceabda8459fd4df72356b4b2845b1faf6

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp6C1B.tmp.exe

pid process

888 tmp6C1B.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp6C1B.tmp.exe

pid process

888 tmp6C1B.tmp.exe

pid	process
888	tmp6C1B.tmp.exe

pid	process
888	tmp6C1B.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe

pid	process
1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe
1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe

description pid process

Token: SeDebugPrivilege 1996 dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe

description	pid	process
Token: SeDebugPrivilege	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exevbc.exe

description	pid	process	target process
PID 1996 wrote to memory of 1636	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	vbc.exe
PID 1996 wrote to memory of 1636	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	vbc.exe
PID 1996 wrote to memory of 1636	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	vbc.exe
PID 1996 wrote to memory of 1636	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	vbc.exe
PID 1636 wrote to memory of 468	1636	vbc.exe	cvtres.exe
PID 1636 wrote to memory of 468	1636	vbc.exe	cvtres.exe
PID 1636 wrote to memory of 468	1636	vbc.exe	cvtres.exe
PID 1636 wrote to memory of 468	1636	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 888	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	tmp6C1B.tmp.exe
PID 1996 wrote to memory of 888	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	tmp6C1B.tmp.exe
PID 1996 wrote to memory of 888	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	tmp6C1B.tmp.exe
PID 1996 wrote to memory of 888	1996	dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe	tmp6C1B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe
"C:\Users\Admin\AppData\Local\Temp\dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1xwdqf6.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E0F.tmp"
3⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\tmp6C1B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6C1B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dad553fe1ab3a4ca501fe1aa9f61e8e957d66955e9aa4164ee9976817d07e0be.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6E1F.tmp
Filesize
1KB

MD5
284f486b0ea8307615c0efe00e9fc9d8

SHA1
15c3fb4f13fd9c54bbd4594e1c0fb085dbfe88a2

SHA256
0d91790ddaad8b82c73d711c67676c689e4324752fd2cc1ecf591dd313aaf911

SHA512
e8909d1b4eaa7742bd6cd6a53a7a8d4d9ba9cc46e03222ba077effc282052233612255d6121e2d0d1ec53305c7599adef6646d50dadb57ddb4d750bb58d28f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1xwdqf6.0.vb
Filesize
14KB

MD5
28e12a6013e59e47d78a6aa1694f0961

SHA1
c9403321f9008eeca8303e1b13f0444bfa4d844b

SHA256
596e3eae58103f0c44a50edc61afc1afeae10a6ae677759c2a27ec0484f856f5

SHA512
e09286da5e3f4a16b21f190eb6310f8ba863e4ad99a01bae085e6707e1db487bde78fdc493162bb089b255d5fab61d1c53c6987f600e5b70ba346359070b199f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1xwdqf6.cmdline
Filesize
266B

MD5
46cd6e1395569f50026122c73d30517a

SHA1
f52a723558743ebaae85d7159c954b6a8b36c45f

SHA256
3e6044dcab12f95cd4db5c1a8014ae35c7534107abb05f90af5539498076c9af

SHA512
19aaf7225835270a1a4b07091d2443bcdf44c2838cd5a90b3d09b46e860a1bb1391d68433c02ffe827d27f116a0f4af900e7e0c25f497ec8dda2f8de4f58586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C1B.tmp.exe
Filesize
78KB

MD5
f0d1a4a80ccd6822a0270caf35cd9ff6

SHA1
17b21d9a53a68980f06d3a829c38ca4d8ec5e02b

SHA256
7631097ce1baac815509014d72796a55174eef3d33d1efb2674837266bd9c9f3

SHA512
e6995c356c0c26fcb5135c3ccbcd4975ebb173ddca358b58d841fd0f46dfe43c4d4c739fbe19a5ba2c7909a8014e9359afa9d27e0745e45e3be746d0372875b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C1B.tmp.exe
Filesize
78KB

MD5
f0d1a4a80ccd6822a0270caf35cd9ff6

SHA1
17b21d9a53a68980f06d3a829c38ca4d8ec5e02b

SHA256
7631097ce1baac815509014d72796a55174eef3d33d1efb2674837266bd9c9f3

SHA512
e6995c356c0c26fcb5135c3ccbcd4975ebb173ddca358b58d841fd0f46dfe43c4d4c739fbe19a5ba2c7909a8014e9359afa9d27e0745e45e3be746d0372875b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E0F.tmp
Filesize
660B

MD5
8e9bf80ed79139d481a787b2dbc1f30a

SHA1
8006c210289289712e3df576e315f5cf5271b916

SHA256
09c60ef344ae9ed0e9e10a4701aa7e88d8523b70ecf965b8e5319386a659757b

SHA512
bfe330792f8668ec646f7e1cddef67ca6bc50b862d43b403bd6e88bd8589dfdbbb63a1f0fc9f14f9a209e57a6951d14d82c314bae262f18534fcf414941e4dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6C1B.tmp.exe
Filesize
78KB

MD5
f0d1a4a80ccd6822a0270caf35cd9ff6

SHA1
17b21d9a53a68980f06d3a829c38ca4d8ec5e02b

SHA256
7631097ce1baac815509014d72796a55174eef3d33d1efb2674837266bd9c9f3

SHA512
e6995c356c0c26fcb5135c3ccbcd4975ebb173ddca358b58d841fd0f46dfe43c4d4c739fbe19a5ba2c7909a8014e9359afa9d27e0745e45e3be746d0372875b0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6C1B.tmp.exe
Filesize
78KB

MD5
f0d1a4a80ccd6822a0270caf35cd9ff6

SHA1
17b21d9a53a68980f06d3a829c38ca4d8ec5e02b

SHA256
7631097ce1baac815509014d72796a55174eef3d33d1efb2674837266bd9c9f3

SHA512
e6995c356c0c26fcb5135c3ccbcd4975ebb173ddca358b58d841fd0f46dfe43c4d4c739fbe19a5ba2c7909a8014e9359afa9d27e0745e45e3be746d0372875b0

Download Submit
memory/468-60-0x0000000000000000-mapping.dmp

Download
memory/888-66-0x0000000000000000-mapping.dmp

Download
memory/888-69-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/888-70-0x0000000000615000-0x0000000000626000-memory.dmp

Filesize
68KB

Download
memory/1636-56-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000074C61000-0x0000000074C63000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download