metamorpherrat | 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220331-en
submitted
29-03-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
Size

78KB
MD5

02f5520d2b448f25ad85e4ad4f0ea9e9
SHA1

c4db23e93244ec18847354ea2d2787ff65dfdd8e
SHA256

9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826
SHA512

d9d661af0f54c0d8c6949992474b29ba172199adf926b9018e3aeb213205ecf44613f86e93d031786d29012e80e78cf8cbc4de6034d5d0c45a87de5ef2c25945

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF799.tmp.exe

pid process

1552 tmpF799.tmp.exe

pid	process
1552	tmpF799.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe

pid	process
2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF799.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpF799.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exetmpF799.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
Token: SeDebugPrivilege	1552	tmpF799.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exevbc.exe

description	pid	process	target process
PID 2032 wrote to memory of 1640	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	vbc.exe
PID 2032 wrote to memory of 1640	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	vbc.exe
PID 2032 wrote to memory of 1640	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	vbc.exe
PID 2032 wrote to memory of 1640	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	vbc.exe
PID 1640 wrote to memory of 1264	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 1264	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 1264	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 1264	1640	vbc.exe	cvtres.exe
PID 2032 wrote to memory of 1552	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	tmpF799.tmp.exe
PID 2032 wrote to memory of 1552	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	tmpF799.tmp.exe
PID 2032 wrote to memory of 1552	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	tmpF799.tmp.exe
PID 2032 wrote to memory of 1552	2032	9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe	tmpF799.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
"C:\Users\Admin\AppData\Local\Temp\9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_7z8sric.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF910.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF900.tmp"
3⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF910.tmp
Filesize
1KB

MD5
fd7052a286701a005b656eb194689f17

SHA1
de7610ca784ad4954fa0eb5e36190b87ecef438f

SHA256
7c7ba993e0468995341a6724138654dce8b34f6e8fd760b8019affa19b30be79

SHA512
86f4c5d4247e5267e76e54a53618e7c967f8f116f0caab3179f6a6cb6c2857c60e283ca07733505a8b61f33cc6916b83238b2d287dece85cf7245e11e72321ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_7z8sric.0.vb
Filesize
15KB

MD5
cc9c046c0018ae86d18fd3cdb82f24b9

SHA1
1c8ab8e2f6e9d431e2f690e1e677c7a9f0fb44fa

SHA256
09317cfd32afae94eff91468485eb4753ca452a9356128e459f7fef886f40fe8

SHA512
2e547dc82485e6f7900839307da91b5959f8db40074bb9c35989c0b72a1f69949c8140e09f55190d694224f4728f7353168705059e49722af7b5a9f2bbff11ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_7z8sric.cmdline
Filesize
266B

MD5
6462458b831d199130042c36f74d8dda

SHA1
22a7b5326f6e4638f064a66f05df34e0b420b03e

SHA256
521ad8734bcd3e7091df7ea91fab85014a5d0f6946f80d71cf07502e31f470e8

SHA512
9e3d919ad607ec438f6b79e5b0ccf8510269d82524cb8df0e2c270085a57de5d4ef6b5488ddff87992ee17e83e83a0bcfbc86b223503c46422cce6bcdb98d68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe
Filesize
78KB

MD5
bc23e5d4b63614adedde8172478a13fd

SHA1
662be9903457e6671b3e9bb45b7666c7fcfd6ce7

SHA256
e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb

SHA512
45bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe
Filesize
78KB

MD5
bc23e5d4b63614adedde8172478a13fd

SHA1
662be9903457e6671b3e9bb45b7666c7fcfd6ce7

SHA256
e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb

SHA512
45bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF900.tmp
Filesize
660B

MD5
4d85e65e7d1aa532ef98abdde096404d

SHA1
c449c2c2032671303b238ed3e2629880d506205f

SHA256
af56a23cb98bf35d94bde928a864b0a2eed1c5d085f97de3195a518bf0db8f02

SHA512
5b6ed74a9a59cf132ee0cba2f2e4bf1f231362b7e70a13f1734e7ef2bf31be69b00810cd71585d382a16b055f7a57fdfd3526122619c32f023d808ce6157d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe
Filesize
78KB

MD5
bc23e5d4b63614adedde8172478a13fd

SHA1
662be9903457e6671b3e9bb45b7666c7fcfd6ce7

SHA256
e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb

SHA512
45bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe
Filesize
78KB

MD5
bc23e5d4b63614adedde8172478a13fd

SHA1
662be9903457e6671b3e9bb45b7666c7fcfd6ce7

SHA256
e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb

SHA512
45bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af

Download Submit
memory/1264-59-0x0000000000000000-mapping.dmp

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download
memory/1552-69-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-70-0x0000000002235000-0x0000000002246000-memory.dmp

Filesize
68KB

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/2032-68-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download