metamorpherrat | c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49

Analysis

max time kernel
4294224s
max time network
177s
platform
windows7_x64
resource
win7-20220311-en
submitted
29-03-2022 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe
Size

78KB
MD5

01579875f974e0d86a05ff91fa9f50b3
SHA1

88ca1813d13a245558e16dac151f81408a0a8fab
SHA256

c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49
SHA512

90bc3cd313c2e44ac238d0a77089ab2b68ae93454b48cab09d19ed1da79ad7f20f209a3390f9af9cbcad3463a58a11d8f61b506de9b7279c3348f5b54a00fe28

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp8037.tmp.exe

pid process

1464 tmp8037.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp8037.tmp.exe

pid process

1464 tmp8037.tmp.exe

pid	process
1464	tmp8037.tmp.exe

pid	process
1464	tmp8037.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe

pid	process
268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe
268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8037.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8037.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exetmp8037.tmp.exe

description	pid	process
Token: SeDebugPrivilege	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe
Token: SeDebugPrivilege	1464	tmp8037.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exevbc.exe

description	pid	process	target process
PID 268 wrote to memory of 320	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	vbc.exe
PID 268 wrote to memory of 320	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	vbc.exe
PID 268 wrote to memory of 320	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	vbc.exe
PID 268 wrote to memory of 320	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	vbc.exe
PID 320 wrote to memory of 556	320	vbc.exe	cvtres.exe
PID 320 wrote to memory of 556	320	vbc.exe	cvtres.exe
PID 320 wrote to memory of 556	320	vbc.exe	cvtres.exe
PID 320 wrote to memory of 556	320	vbc.exe	cvtres.exe
PID 268 wrote to memory of 1464	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	tmp8037.tmp.exe
PID 268 wrote to memory of 1464	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	tmp8037.tmp.exe
PID 268 wrote to memory of 1464	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	tmp8037.tmp.exe
PID 268 wrote to memory of 1464	268	c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe	tmp8037.tmp.exe

C:\Users\Admin\AppData\Local\Temp\c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe
"C:\Users\Admin\AppData\Local\Temp\c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_afi8xh3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81AE.tmp"
3⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c4862f15465388e4a45c9f435ea08088ee506c53d4f8ca0c3afa89790ed8df49.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES81BE.tmp
Filesize
1KB

MD5
2741ec026888007de8161e242df55996

SHA1
c385602db52b3ffac801e0b51c42a13f48eb8877

SHA256
b5ddcf362f54445e77d22fa84ef094dfbbe079408149edf5a603a998aee7a054

SHA512
0b9b75e031f066c82b8e46068eb6e64088093605a1323cd47dd460c10593615f52ee87d5141c2bb644ac02de464217c86e8325a41760914effaad6a597bf65b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_afi8xh3.0.vb
Filesize
15KB

MD5
76543ed641baa905a1fe0807d4845921

SHA1
480eb9f67be3fc5812e84e4003cd774f574fc60f

SHA256
fec7161afdcec9361c9feb13345969744e95382270d14cf40635d8818e684f38

SHA512
854e07efd9689f832057700fe274a7f57f979ce3ae44774add387e88c35f2e3bd48e4ff2223e95349711ea330c4888249646a965fcdfd7208baac668d9c02e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_afi8xh3.cmdline
Filesize
266B

MD5
c81cf1e4332e05cba0e9323a39fdfc5c

SHA1
9d81fbd7952103183163bef35272f71c8b877c65

SHA256
4169edc94df0a9a8278d86dce4f888c2510fdbcc226b496b5824c27d3ecc92b1

SHA512
66f53e9f5c929d06d97485f5c37c0d573c816f903feaf72a18434d2c5bf7b113688ef726ecd810e4c72541747f910b4bde24b0721d198a01044ebe1ca77e3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe
Filesize
78KB

MD5
7f89d762e00c468105a8ea5cd13b4ca2

SHA1
6bf2d5748f5e81497548655adb2efb688e315363

SHA256
6bc548539f459b628183d05d74b59baa70852ef508671018f673c7e9beb1c687

SHA512
9e1cb264003fa9db580e8eb36a244b816452b8598c40532533f3f9aa26cf67456faa5501a830e69eddcd1518ac75a638b0adbfc3d7647e2f5eb6e1cb0b2cd91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe
Filesize
78KB

MD5
7f89d762e00c468105a8ea5cd13b4ca2

SHA1
6bf2d5748f5e81497548655adb2efb688e315363

SHA256
6bc548539f459b628183d05d74b59baa70852ef508671018f673c7e9beb1c687

SHA512
9e1cb264003fa9db580e8eb36a244b816452b8598c40532533f3f9aa26cf67456faa5501a830e69eddcd1518ac75a638b0adbfc3d7647e2f5eb6e1cb0b2cd91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc81AE.tmp
Filesize
660B

MD5
febb10c1a90e3cb692eb0318f49fe90b

SHA1
00b80cd3367d8435d2506577ed87ceb9816ea21c

SHA256
805a2c05bde3b41e9efcb912efbe6a31c987501b1b838954af442429bc9b60c2

SHA512
6c6b9a2a83e5d9532bc6a5e0598c5bb28d190ffcb4859f87f09efda0fa3ec457d190fc2dacb8989f0d3002e4e8bdaeef4ebc65f6b16816f1d23f76d8a0245037

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe
Filesize
78KB

MD5
7f89d762e00c468105a8ea5cd13b4ca2

SHA1
6bf2d5748f5e81497548655adb2efb688e315363

SHA256
6bc548539f459b628183d05d74b59baa70852ef508671018f673c7e9beb1c687

SHA512
9e1cb264003fa9db580e8eb36a244b816452b8598c40532533f3f9aa26cf67456faa5501a830e69eddcd1518ac75a638b0adbfc3d7647e2f5eb6e1cb0b2cd91e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe
Filesize
78KB

MD5
7f89d762e00c468105a8ea5cd13b4ca2

SHA1
6bf2d5748f5e81497548655adb2efb688e315363

SHA256
6bc548539f459b628183d05d74b59baa70852ef508671018f673c7e9beb1c687

SHA512
9e1cb264003fa9db580e8eb36a244b816452b8598c40532533f3f9aa26cf67456faa5501a830e69eddcd1518ac75a638b0adbfc3d7647e2f5eb6e1cb0b2cd91e

Download Submit
memory/268-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/268-57-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/320-55-0x0000000000000000-mapping.dmp

Download
memory/556-60-0x0000000000000000-mapping.dmp

Download
memory/1464-66-0x0000000000000000-mapping.dmp

Download
memory/1464-69-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1464-70-0x0000000000225000-0x0000000000236000-memory.dmp

Filesize
68KB

Download