metamorpherrat | 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d

Analysis

max time kernel
165s
max time network
193s
platform
windows7_x64
resource
win7-20220331-en
submitted
29-03-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
Size

78KB
MD5

05137374d9702441ed3cf31896d32e55
SHA1

3429cee50a686ca29a72cd1ecbc06f4708b31e73
SHA256

9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d
SHA512

62ed902ee373da8ca290d3d0d67176c34f26b78af39f4c524417b3f732ec0732ce560c0b67c01527b5f757cb0e0c3213f9f41cebf3db4fb81a1ed91e9445cefc

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp89AA.tmp.exe

pid process

1512 tmp89AA.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp89AA.tmp.exe

pid process

1512 tmp89AA.tmp.exe

pid	process
1512	tmp89AA.tmp.exe

pid	process
1512	tmp89AA.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe

pid	process
1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp89AA.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp89AA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exetmp89AA.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
Token: SeDebugPrivilege	1512	tmp89AA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exevbc.exe

description	pid	process	target process
PID 1788 wrote to memory of 964	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	vbc.exe
PID 1788 wrote to memory of 964	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	vbc.exe
PID 1788 wrote to memory of 964	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	vbc.exe
PID 1788 wrote to memory of 964	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	vbc.exe
PID 964 wrote to memory of 2040	964	vbc.exe	cvtres.exe
PID 964 wrote to memory of 2040	964	vbc.exe	cvtres.exe
PID 964 wrote to memory of 2040	964	vbc.exe	cvtres.exe
PID 964 wrote to memory of 2040	964	vbc.exe	cvtres.exe
PID 1788 wrote to memory of 1512	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	tmp89AA.tmp.exe
PID 1788 wrote to memory of 1512	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	tmp89AA.tmp.exe
PID 1788 wrote to memory of 1512	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	tmp89AA.tmp.exe
PID 1788 wrote to memory of 1512	1788	9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe	tmp89AA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
"C:\Users\Admin\AppData\Local\Temp\9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gwmogpka.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B01.tmp"
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B02.tmp
Filesize
1KB

MD5
9987c42501545334c9a53e1e189ad652

SHA1
5cd108c24dc0209ea6ac782511cb63a7ec4ffd0b

SHA256
2b36c6e3e91f8c0ccdd3618ff66eb39dce009fabd95a713e223b10af732b6209

SHA512
716ed50845b6caeee5815d190816192015537db43e2c25e76197deca199236948688322f5d4fa525d8c68b92b3342b45dcf890dae2f162bd0c99ca18376a7027

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwmogpka.0.vb
Filesize
14KB

MD5
3d54a6068241a564988ab6d953a2c717

SHA1
257ff3b6bd86f0d4e6de77a18777ab360229ebd9

SHA256
28e4f826d6e1ed6370f1ebdbb804ffb6c7a3ce6c5e0c321662e894957d222db4

SHA512
831930ca73067aa7062bc466c2df17fea65a0205f417ee3bf535d0d42d035235821258758786f4377304921d0bdf528cad2da5e7616595ea386addb11827a5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwmogpka.cmdline
Filesize
266B

MD5
9d6a64a50283c8e939e7bd981b155818

SHA1
260187c0d889c6f613c78e182b1c42c5ae65f54e

SHA256
68ac14d7b77081df6c23718a1d6173a20cc3ed16b096221b1f3ab241178ff20e

SHA512
f954099fe9f6b7ec21e408ad3e3efe8e2c4f2175909693e37d170d140df9a7ad12b416370e04903acf1fc5d12a8e5018b926624f66ed8c8fb479c65669b444bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe
Filesize
78KB

MD5
af85052d174be76ce298a217d1bdad07

SHA1
70bcdc4776e387a11f497a5c5dc2f816131be93d

SHA256
df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787

SHA512
5f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe
Filesize
78KB

MD5
af85052d174be76ce298a217d1bdad07

SHA1
70bcdc4776e387a11f497a5c5dc2f816131be93d

SHA256
df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787

SHA512
5f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8B01.tmp
Filesize
660B

MD5
5bcadb9144efb7681d756396f51eed38

SHA1
f6022e4829c6e675986e4af39ea09c63d0a1c0ca

SHA256
1c3ffb5fb5772a41de6e7b734a8633b9579ba65e18dbd9a7f1d64bad63343085

SHA512
53a3bb39acffd4abe2d93b18e702583e9ad5654aa79062f99edc66bb0ddefe8a72768b73c99bb39c1ecfd1749eaf893b900ca51004fa865de8176bea50eac857

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe
Filesize
78KB

MD5
af85052d174be76ce298a217d1bdad07

SHA1
70bcdc4776e387a11f497a5c5dc2f816131be93d

SHA256
df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787

SHA512
5f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe
Filesize
78KB

MD5
af85052d174be76ce298a217d1bdad07

SHA1
70bcdc4776e387a11f497a5c5dc2f816131be93d

SHA256
df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787

SHA512
5f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8

Download Submit
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1512-69-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-70-0x0000000000155000-0x0000000000166000-memory.dmp

Filesize
68KB

Download
memory/1788-54-0x00000000755F1000-0x00000000755F3000-memory.dmp

Filesize
8KB

Download
memory/1788-58-0x00000000749B0000-0x0000000074F5B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download