metamorpherrat | eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c

Analysis

max time kernel
4294212s
max time network
152s
platform
windows7_x64
resource
win7-20220310-en
submitted
26-03-2022 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe
Size

78KB
MD5

f1ca4613ecaf3b075cd4357124ea13f9
SHA1

4075af3be4a39a6efd446e3bd959e77b511056bc
SHA256

eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c
SHA512

3689e5cceedd615ea3f42c11fd91a23ad9867858ae5e91e6937260dbadf599ebc47758339aedde9eb69bc3a31b2a90de62ff97023ab81fe23327b84e548c5ac6

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp495F.tmp.exe

pid process

596 tmp495F.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp495F.tmp.exe

pid process

596 tmp495F.tmp.exe

pid	process
596	tmp495F.tmp.exe

pid	process
596	tmp495F.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe

pid	process
2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe
2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp495F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp495F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exetmp495F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe
Token: SeDebugPrivilege	596	tmp495F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exevbc.exe

description	pid	process	target process
PID 2004 wrote to memory of 1084	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	vbc.exe
PID 2004 wrote to memory of 1084	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	vbc.exe
PID 2004 wrote to memory of 1084	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	vbc.exe
PID 2004 wrote to memory of 1084	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	vbc.exe
PID 1084 wrote to memory of 584	1084	vbc.exe	cvtres.exe
PID 1084 wrote to memory of 584	1084	vbc.exe	cvtres.exe
PID 1084 wrote to memory of 584	1084	vbc.exe	cvtres.exe
PID 1084 wrote to memory of 584	1084	vbc.exe	cvtres.exe
PID 2004 wrote to memory of 596	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	tmp495F.tmp.exe
PID 2004 wrote to memory of 596	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	tmp495F.tmp.exe
PID 2004 wrote to memory of 596	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	tmp495F.tmp.exe
PID 2004 wrote to memory of 596	2004	eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe	tmp495F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe
"C:\Users\Admin\AppData\Local\Temp\eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6uusnu6x.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp"
3⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\tmp495F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp495F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eda9fd3f077c8a8841cc1ea244271d4f4d71d97181486361943540c6876f1f0c.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6uusnu6x.0.vb
Filesize
14KB

MD5
b8fe5cca7094faf643f5bc9c488d408a

SHA1
7ba837b473c3d45d6fde33c1ff5811f3662d3e1e

SHA256
9d10b4c7136db49e1cbe7ef1a188daee46d4bf2b8bccfa35133c183b38233e4d

SHA512
51bd72206670b7fb7bff0626d0874bb5f4ba7e521e8be9faaaa04a6b403bc65447b3574c0620bfb40720391be31d5066e1bc1cb7a87c5e434edf8c1fcb91d4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uusnu6x.cmdline
Filesize
266B

MD5
cbe90745e2fd52246773819bd0ca067a

SHA1
8e89f13bcd33d5b61ebb3a51acadd35f0cca6999

SHA256
368459beeeced4b2bd02b735fc93f9fc39ff94e6391cc9b4f42ba45a6218ffea

SHA512
31f6f21770000be170abbcf4ee23e2ea57ee610ee2b36c8e81b532be536eced397e5796c7ef5459046410d63dfca42357da6a83538420580f12c237367fba842

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CE9.tmp
Filesize
1KB

MD5
245e429dbeec0a01ba93953c9dfe330f

SHA1
2f87461704156dcf67509c81296c04da05aa286e

SHA256
2960782a18f40e073a0d471c9468c68a9145ec8a96fb187858800b448900f69a

SHA512
b8a2e5be62e2c76ecfc7b5409790d840cf0b78d640d101194e88aa57041f4970a15ffffdf50ac770e6728b24115ac11e124fda2ad396d596a5cef7fd4d8fa08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp495F.tmp.exe
Filesize
78KB

MD5
0913c13c01364595f32e855e65cb498a

SHA1
0a69c5578a2d9351ec799240cc63ad324a0c2acb

SHA256
e70e9b612f22113d7fdce6b2fe7bbf1553d450d1f5747c6564b140a4f89db705

SHA512
2bd4c1434632bf1b662f221c14b03e3fdf1b69517348cc4c919aa250151de5619fae421dca11e3a861130ac172840b235c95f4678b4f4d2f6b4c418ba6fec771

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp495F.tmp.exe
Filesize
78KB

MD5
0913c13c01364595f32e855e65cb498a

SHA1
0a69c5578a2d9351ec799240cc63ad324a0c2acb

SHA256
e70e9b612f22113d7fdce6b2fe7bbf1553d450d1f5747c6564b140a4f89db705

SHA512
2bd4c1434632bf1b662f221c14b03e3fdf1b69517348cc4c919aa250151de5619fae421dca11e3a861130ac172840b235c95f4678b4f4d2f6b4c418ba6fec771

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp
Filesize
660B

MD5
da1e260f5a2c5b9a1ef64f80dda5b7ff

SHA1
2806be170a649ecfa55bd0bc0986de9f7ad1146e

SHA256
291e58e66aa9a8e0f035ee8cacf594b10f6f399ba3b75f09564ff554481ec0df

SHA512
b3b8348e3b791992f43c244c1a255e8721cfed5067c3a1bae616f91a5dc8fa51a3a6d6706cb41748d3d481926f753508e368b3ddd5afd200ae29e2424ec15e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp495F.tmp.exe
Filesize
78KB

MD5
0913c13c01364595f32e855e65cb498a

SHA1
0a69c5578a2d9351ec799240cc63ad324a0c2acb

SHA256
e70e9b612f22113d7fdce6b2fe7bbf1553d450d1f5747c6564b140a4f89db705

SHA512
2bd4c1434632bf1b662f221c14b03e3fdf1b69517348cc4c919aa250151de5619fae421dca11e3a861130ac172840b235c95f4678b4f4d2f6b4c418ba6fec771

Download Submit
\Users\Admin\AppData\Local\Temp\tmp495F.tmp.exe
Filesize
78KB

MD5
0913c13c01364595f32e855e65cb498a

SHA1
0a69c5578a2d9351ec799240cc63ad324a0c2acb

SHA256
e70e9b612f22113d7fdce6b2fe7bbf1553d450d1f5747c6564b140a4f89db705

SHA512
2bd4c1434632bf1b662f221c14b03e3fdf1b69517348cc4c919aa250151de5619fae421dca11e3a861130ac172840b235c95f4678b4f4d2f6b4c418ba6fec771

Download Submit
memory/584-60-0x0000000000000000-mapping.dmp

Download
memory/596-66-0x0000000000000000-mapping.dmp

Download
memory/596-69-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/596-70-0x0000000000905000-0x0000000000916000-memory.dmp

Filesize
68KB

Download
memory/1084-56-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download