metamorpherrat | d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe

Analysis

max time kernel
4294223s
max time network
174s
platform
windows7_x64
resource
win7-20220311-en
submitted
29-03-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe
Size

78KB
MD5

05b780bea5526c3e73d9a33070fda7af
SHA1

7e9414b2b904606559d76e72547c931032f2f053
SHA256

d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe
SHA512

83ad5d9a4e65844bdf962d1c00391ffe24e98cb96ca41fba706076196c7ab4596bf132e935bfea4738b5da174f272c9d449b06994ca9dfc27142b45e1c477921

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp6171.tmp.exe

pid process

1604 tmp6171.tmp.exe

pid	process
1604	tmp6171.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe

pid	process
2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe
2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp6171.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6171.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exetmp6171.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe
Token: SeDebugPrivilege	1604	tmp6171.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exevbc.exe

description	pid	process	target process
PID 2020 wrote to memory of 968	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	vbc.exe
PID 2020 wrote to memory of 968	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	vbc.exe
PID 2020 wrote to memory of 968	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	vbc.exe
PID 2020 wrote to memory of 968	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	vbc.exe
PID 968 wrote to memory of 764	968	vbc.exe	cvtres.exe
PID 968 wrote to memory of 764	968	vbc.exe	cvtres.exe
PID 968 wrote to memory of 764	968	vbc.exe	cvtres.exe
PID 968 wrote to memory of 764	968	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 1604	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	tmp6171.tmp.exe
PID 2020 wrote to memory of 1604	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	tmp6171.tmp.exe
PID 2020 wrote to memory of 1604	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	tmp6171.tmp.exe
PID 2020 wrote to memory of 1604	2020	d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe	tmp6171.tmp.exe

C:\Users\Admin\AppData\Local\Temp\d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe
"C:\Users\Admin\AppData\Local\Temp\d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aw3_2yg2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62A9.tmp"
3⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7b1c60139b208a733e00ee9661f17379e6dab8b5d0e26e7b5f54479f5a6cafe.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES62AA.tmp
Filesize
1KB

MD5
3cc8cb130f3ab08ce44b0c2651db5a71

SHA1
ca24a5303cada582259f76fd86b90fc96479822a

SHA256
2f34cd0e0b2ee47b11c6053ed749b08026339ed0301360936e674549cefdc5f6

SHA512
ed4c2e0d20e530afc3d9fc3d4795b4d4e43062a1080b454c6d3c4f14f86a80f510e5a8f11946413b2f8ffe580319128485759a3cae67ac23f450b29692fd80cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw3_2yg2.0.vb
Filesize
15KB

MD5
b72235c704fd9a62d7ad0a720f55476a

SHA1
8bef728ab93ffca12ddf03b7126a52741c957d75

SHA256
415db721bb8fd1351f9f58e7758f3acd21f0525afed8d1f6c24a1392c820605e

SHA512
9a9d89b08b198a5ebfe155903f737b7f6414a9ca950e52c6271c73bb058ee3b1cade97aa10215cbc325e0738388eec8037f1a8e4dabedc6c676096ea21dce8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw3_2yg2.cmdline
Filesize
266B

MD5
f37f2d4ff047032073ace3630aa4203e

SHA1
08145b49cd3a868c2137709b6cab68fc07b3e6d5

SHA256
8a316f05f59402566a069b72d610b30f014600475c32411fa17e8093bcb02ab1

SHA512
86fd6573c9b2e284dd80d51a5da3c545cb25f4e70dbca8816e08f408471bbb5b5a3aee1afd37fb62bc45d6815af22f6e701667556c2e7bf083f86c127cae5daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp.exe
Filesize
78KB

MD5
a47579cc481cc7f9528791ec622f2d85

SHA1
499efcf2d8e7dfcf366bb7fd8622847f1fddc02c

SHA256
8797e098d8e1b2f9fa14ad133a3a21cb1274079e2726ea9be7df1e9300c63c44

SHA512
89652b5c36d4687200c9d92ffc738744f4679b048d7c335f6be6622d1ad992fb6d3493fddcff9790a88b170961d140f6f21911a006ab8bc9f99c5f76c6ea2f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp.exe
Filesize
78KB

MD5
a47579cc481cc7f9528791ec622f2d85

SHA1
499efcf2d8e7dfcf366bb7fd8622847f1fddc02c

SHA256
8797e098d8e1b2f9fa14ad133a3a21cb1274079e2726ea9be7df1e9300c63c44

SHA512
89652b5c36d4687200c9d92ffc738744f4679b048d7c335f6be6622d1ad992fb6d3493fddcff9790a88b170961d140f6f21911a006ab8bc9f99c5f76c6ea2f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62A9.tmp
Filesize
660B

MD5
671565a157d7eacadbb962fcb59d7745

SHA1
616c4bb9b31401ee4ffcb229d5a115f02d4c7b92

SHA256
67a676bcfe0c44ed866ab65e894ecf38479e6e54146e1950e2bea110f26420f0

SHA512
e8ea389d80e6a8a3bde7ebc3f5d2e979e37f6504846a82fdb7df39341ff2bb78b682fa76dffdf79be4ec54902839a15f644b91fda2a863dd70b5f35c2530b7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6171.tmp.exe
Filesize
78KB

MD5
a47579cc481cc7f9528791ec622f2d85

SHA1
499efcf2d8e7dfcf366bb7fd8622847f1fddc02c

SHA256
8797e098d8e1b2f9fa14ad133a3a21cb1274079e2726ea9be7df1e9300c63c44

SHA512
89652b5c36d4687200c9d92ffc738744f4679b048d7c335f6be6622d1ad992fb6d3493fddcff9790a88b170961d140f6f21911a006ab8bc9f99c5f76c6ea2f3c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6171.tmp.exe
Filesize
78KB

MD5
a47579cc481cc7f9528791ec622f2d85

SHA1
499efcf2d8e7dfcf366bb7fd8622847f1fddc02c

SHA256
8797e098d8e1b2f9fa14ad133a3a21cb1274079e2726ea9be7df1e9300c63c44

SHA512
89652b5c36d4687200c9d92ffc738744f4679b048d7c335f6be6622d1ad992fb6d3493fddcff9790a88b170961d140f6f21911a006ab8bc9f99c5f76c6ea2f3c

Download Submit
memory/764-59-0x0000000000000000-mapping.dmp

Download
memory/968-55-0x0000000000000000-mapping.dmp

Download
memory/1604-65-0x0000000000000000-mapping.dmp

Download
memory/1604-68-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-70-0x0000000000AB5000-0x0000000000AC6000-memory.dmp

Filesize
68KB

Download
memory/2020-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/2020-69-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download