metamorpherrat | d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef

Analysis

max time kernel
4294211s
max time network
156s
platform
windows7_x64
resource
win7-20220311-en
submitted
29-03-2022 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe
Size

78KB
MD5

000d208397403014c9e7aec35aac19dd
SHA1

c4dca805a58e53c558edb979b834357ddc31b48b
SHA256

d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef
SHA512

7193251e0422e150f85397bd484c598582c8a39cac80f2412d3263fbbc400fe0aa875dff95c1459f8e88ca0a987a1c302405e6d250bfa175e6f8c8777b853c6e

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp4F96.tmp.exe

pid process

832 tmp4F96.tmp.exe

pid	process
832	tmp4F96.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe

pid	process
1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe
1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp4F96.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp4F96.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exetmp4F96.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe
Token: SeDebugPrivilege	832	tmp4F96.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exevbc.exe

description	pid	process	target process
PID 1040 wrote to memory of 1952	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	vbc.exe
PID 1040 wrote to memory of 1952	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	vbc.exe
PID 1040 wrote to memory of 1952	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	vbc.exe
PID 1040 wrote to memory of 1952	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	vbc.exe
PID 1952 wrote to memory of 1876	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 1876	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 1876	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 1876	1952	vbc.exe	cvtres.exe
PID 1040 wrote to memory of 832	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	tmp4F96.tmp.exe
PID 1040 wrote to memory of 832	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	tmp4F96.tmp.exe
PID 1040 wrote to memory of 832	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	tmp4F96.tmp.exe
PID 1040 wrote to memory of 832	1040	d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe	tmp4F96.tmp.exe

C:\Users\Admin\AppData\Local\Temp\d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe
"C:\Users\Admin\AppData\Local\Temp\d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d2ufypee.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES510E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50FD.tmp"
3⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d054668263e33a0e341c2679ac3b2aa6233b3d2aa8975baeb743d3f9fdbb73ef.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES510E.tmp
Filesize
1KB

MD5
3f7b1d36ab1257f58dccbcbd9e6b7044

SHA1
0d7275dcf69ff340584642adb096bf5d0d469b4e

SHA256
6e36b509325e1d40aa4031ecd1c071ee374d0cc83f94808fc9e94fd4cb6846c9

SHA512
5c4fef791e4c9a788fd6ced25688957d0bf21a13b0818d3fa8a3676f57c5b0371981b2af943d1fab797ce77a0a1bda14c13bc06d00426ffd30d5b84e5b1ca39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2ufypee.0.vb
Filesize
14KB

MD5
f5ea4a3dd401d175904af04b92b46f0f

SHA1
aa73355ccad908afda8edc7c844a766c09ee83be

SHA256
660b8b75cf5f977e863a3e75296c02f083af6185c18cbeac2ffece44a9cb4513

SHA512
481cf4c7ac71900b9d38daa7e63776e09a51180eda9187037bd90baf12ced4695b85ec8e3b410c11cf3c3530806b7905ab6bd1c6fd7d682ec5cd026164d29ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2ufypee.cmdline
Filesize
266B

MD5
8a107030b525708e8a649e1c9cd3be18

SHA1
ad87bc7ed4eae3997da99569dcc70e4b4a38c26f

SHA256
ece3651fe2a6d140ba39b041bb0c24b00dd6b960e58309bc5eff6376e60e1b3e

SHA512
cfe5adc95b7ccec8cb5e3362a08aa7e9633346ef5b77b545300a586759d9a819040611e8b6721f391a519a4d3c6eb4bc8f7266c613007884b8b4d17d8ad66c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.exe
Filesize
78KB

MD5
339438041da1293f962a862d0d619906

SHA1
27d3a4f9ced49cc3c31711418ba5fcd1cc4cca64

SHA256
762f7d547339aa32cd3a9b797884e550bcb38c5cde7dece03849110a0befcfcd

SHA512
1f221bc1416642daafc15c14bb1a5886309c9962ffb413756e69c4445e7f44bf49cf54dcb86e69efbc0ee3028d2ceabc78f7b16692f4ab928c8541a1495912fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.exe
Filesize
78KB

MD5
339438041da1293f962a862d0d619906

SHA1
27d3a4f9ced49cc3c31711418ba5fcd1cc4cca64

SHA256
762f7d547339aa32cd3a9b797884e550bcb38c5cde7dece03849110a0befcfcd

SHA512
1f221bc1416642daafc15c14bb1a5886309c9962ffb413756e69c4445e7f44bf49cf54dcb86e69efbc0ee3028d2ceabc78f7b16692f4ab928c8541a1495912fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc50FD.tmp
Filesize
660B

MD5
d85a1fc42ddaeafbdb696e4fc7e072b8

SHA1
9aeadda70a906f7b2a7baff8d34375b8f0c56b54

SHA256
66b34b00a185d07e702d19f8fab2c3f6fc9cb88651fe7751ee3d70378fe32753

SHA512
cad66a0b5499ee0cffa43adf26219a771cd44eb396f29bbd59eb36ef8e3b1c1e4f68a9a1cf0e0ca0cbad4ee7b8216a80abfee43fd9c61b0851f1daa93c8ca029

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.exe
Filesize
78KB

MD5
339438041da1293f962a862d0d619906

SHA1
27d3a4f9ced49cc3c31711418ba5fcd1cc4cca64

SHA256
762f7d547339aa32cd3a9b797884e550bcb38c5cde7dece03849110a0befcfcd

SHA512
1f221bc1416642daafc15c14bb1a5886309c9962ffb413756e69c4445e7f44bf49cf54dcb86e69efbc0ee3028d2ceabc78f7b16692f4ab928c8541a1495912fb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.exe
Filesize
78KB

MD5
339438041da1293f962a862d0d619906

SHA1
27d3a4f9ced49cc3c31711418ba5fcd1cc4cca64

SHA256
762f7d547339aa32cd3a9b797884e550bcb38c5cde7dece03849110a0befcfcd

SHA512
1f221bc1416642daafc15c14bb1a5886309c9962ffb413756e69c4445e7f44bf49cf54dcb86e69efbc0ee3028d2ceabc78f7b16692f4ab928c8541a1495912fb

Download Submit
memory/832-65-0x0000000000000000-mapping.dmp

Download
memory/832-69-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/832-70-0x0000000000A15000-0x0000000000A26000-memory.dmp

Filesize
68KB

Download
memory/1040-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/1040-68-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-59-0x0000000000000000-mapping.dmp

Download
memory/1952-55-0x0000000000000000-mapping.dmp

Download