metamorpherrat | dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48

Analysis

max time kernel
4294209s
max time network
154s
platform
windows7_x64
resource
win7-20220311-en
submitted
29-03-2022 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
Size

78KB
MD5

0202f350251abbbae1a2740143ba261b
SHA1

3c9a4e171a1d1e8e2ef8ae3494edc498a6930144
SHA256

dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48
SHA512

b419e5b15b3d74b95b255d9e8ef37b1e96f1a4bdaf27b9c70f0e8777d9dfcf352c46a7b419dd99f846bd416110bd1dd6c047d2ca9ea7130fe6ca24955b16523e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp513C.tmp.exe

pid process

1792 tmp513C.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp513C.tmp.exe

pid process

1792 tmp513C.tmp.exe

pid	process
1792	tmp513C.tmp.exe

pid	process
1792	tmp513C.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe

pid	process
1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp513C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp513C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exetmp513C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
Token: SeDebugPrivilege	1792	tmp513C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exevbc.exe

description	pid	process	target process
PID 1624 wrote to memory of 1548	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	vbc.exe
PID 1624 wrote to memory of 1548	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	vbc.exe
PID 1624 wrote to memory of 1548	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	vbc.exe
PID 1624 wrote to memory of 1548	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	vbc.exe
PID 1548 wrote to memory of 1088	1548	vbc.exe	cvtres.exe
PID 1548 wrote to memory of 1088	1548	vbc.exe	cvtres.exe
PID 1548 wrote to memory of 1088	1548	vbc.exe	cvtres.exe
PID 1548 wrote to memory of 1088	1548	vbc.exe	cvtres.exe
PID 1624 wrote to memory of 1792	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	tmp513C.tmp.exe
PID 1624 wrote to memory of 1792	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	tmp513C.tmp.exe
PID 1624 wrote to memory of 1792	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	tmp513C.tmp.exe
PID 1624 wrote to memory of 1792	1624	dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe	tmp513C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
"C:\Users\Admin\AppData\Local\Temp\dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0fx85wf4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc531F.tmp"
3⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fx85wf4.0.vb
Filesize
14KB

MD5
e89197c39388e53a02a95ed8079f0beb

SHA1
57e301c5a122cf5faef6b924530c2f7688d2d336

SHA256
70da5f720a460d9a627788dda802d2881b74ff76e2689e11e2c7dff04ef782c7

SHA512
d5398e5943d823069859c3091781a1d1ee35be6f3110f9ac8fe3f5fdb1076f25b7a43e04b0abbfe4245846d561392d48f29fd0f9380fd339d293f68b1a1e47a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fx85wf4.cmdline
Filesize
266B

MD5
3a68a3a0ec610b61c6b67f33aeeb894d

SHA1
6de65d3e957d079b7b8875cdceb80f645c3024ca

SHA256
ae9574a0bef833a30050446da8552b76234350547be783b5ab01596384c97762

SHA512
c8bb13f3177d94a94f0352467e12f192769b3f8e2c77a816f905c45e2b17426f3853383f454dfceb7837c393d5fe9c2da26addbb98b053fd9b9ada3c7707b71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5330.tmp
Filesize
1KB

MD5
0e96ffdb616f7d3467d3ec51e07809ac

SHA1
582b4b2e95e8a100ce9028c72de947b884368225

SHA256
7fd72127505a0ade91bd4fba075a0e1c02e1a6db31d69947b8365e1b9fbf8676

SHA512
9affad22aaae74bacf338c994197cc2d328050aae79ec0c1f17bc5a419b6ac22e90c06b30429b0bd3604d05daf360d7c3ff81b16887bb50e4c00556baceede3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe
Filesize
78KB

MD5
b27de2518a6977dc9a16102c746b5a39

SHA1
3a3cfa1c4569a713e598e53fd84ad7c2e88c1779

SHA256
92265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416

SHA512
21ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe
Filesize
78KB

MD5
b27de2518a6977dc9a16102c746b5a39

SHA1
3a3cfa1c4569a713e598e53fd84ad7c2e88c1779

SHA256
92265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416

SHA512
21ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc531F.tmp
Filesize
660B

MD5
a723fdee471a2f77c6e89741fb56501a

SHA1
b7831f260f5493ccc4f721489d068aaab7cff66d

SHA256
990cc0f9eadd23c08ed25b607da608214b378483779a4243e98b17bb6de538e4

SHA512
5c459c817f31d2e1ee3885112e67dd23bb614b099859eb44e4999b27fc10fdd0ec8f32271b2b1bf0f113c5b94cfe672939e175bf18f2b1ad41cf16efbb53ca93

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe
Filesize
78KB

MD5
b27de2518a6977dc9a16102c746b5a39

SHA1
3a3cfa1c4569a713e598e53fd84ad7c2e88c1779

SHA256
92265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416

SHA512
21ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe
Filesize
78KB

MD5
b27de2518a6977dc9a16102c746b5a39

SHA1
3a3cfa1c4569a713e598e53fd84ad7c2e88c1779

SHA256
92265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416

SHA512
21ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0

Download Submit
memory/1088-60-0x0000000000000000-mapping.dmp

Download
memory/1548-56-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1624-55-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-66-0x0000000000000000-mapping.dmp

Download
memory/1792-69-0x00000000740D0000-0x000000007467B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-70-0x00000000022B5000-0x00000000022C6000-memory.dmp

Filesize
68KB

Download