metamorpherrat | 8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7

Analysis

max time kernel
153s
max time network
160s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe
Size

78KB
MD5

012985dc19456ef3c538c0e1252a0ca0
SHA1

dad3f34df7f7a991236367515c7ead1bbf539568
SHA256

8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7
SHA512

2be32f0387c1a4499d57041655680a6d3ab23e41f139e9fdbd5832fc01bfe24c07cf3098b3c938d3fddc8ab8d8de082ad8c74349090307a4c958c99155705ce0

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpFE1E.tmp.exe

pid process

1744 tmpFE1E.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpFE1E.tmp.exe

pid process

1744 tmpFE1E.tmp.exe

pid	process
1744	tmpFE1E.tmp.exe

pid	process
1744	tmpFE1E.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe

pid	process
1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe
1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpFE1E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpFE1E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exetmpFE1E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe
Token: SeDebugPrivilege	1744	tmpFE1E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exevbc.exe

description	pid	process	target process
PID 1360 wrote to memory of 1236	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	vbc.exe
PID 1360 wrote to memory of 1236	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	vbc.exe
PID 1360 wrote to memory of 1236	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	vbc.exe
PID 1360 wrote to memory of 1236	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	vbc.exe
PID 1236 wrote to memory of 1092	1236	vbc.exe	cvtres.exe
PID 1236 wrote to memory of 1092	1236	vbc.exe	cvtres.exe
PID 1236 wrote to memory of 1092	1236	vbc.exe	cvtres.exe
PID 1236 wrote to memory of 1092	1236	vbc.exe	cvtres.exe
PID 1360 wrote to memory of 1744	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	tmpFE1E.tmp.exe
PID 1360 wrote to memory of 1744	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	tmpFE1E.tmp.exe
PID 1360 wrote to memory of 1744	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	tmpFE1E.tmp.exe
PID 1360 wrote to memory of 1744	1360	8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe	tmpFE1E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe
"C:\Users\Admin\AppData\Local\Temp\8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5cs_akhn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFC3.tmp"
3⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8476ff9ab4f25c5852fdc01c873b124e1186acb1f344bc2b794e11701681f5d7.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cs_akhn.0.vb
Filesize
14KB

MD5
6b442f1d424a19e9f8c75a86824a21b5

SHA1
70b731dcbc5a18704a49d3e576f0a00c92d25303

SHA256
d6d2c5c060b7adeff5bfaca5c64a7b4f76c45461c90f790a98e7865ba1cabbcc

SHA512
22c5666b4d98e4a73894a11f29a4ec3d5f613e72b3f022acb6c9a09b0fbd6ffafae797c6c1deae0e2fb53f95308f8c048c86ab612ab141cfc12ca705c9880a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cs_akhn.cmdline
Filesize
266B

MD5
b7a35c6b732d12d9778dc524f169cafd

SHA1
afee4eaf73294949ee636f72e46394255a4de72a

SHA256
4a6dd0afdb8647efb4c15ba0a3366e0b894101a737012e955b3a7e4eac7a970b

SHA512
e9a3c60c71dcceac4f18f353a6ba199902b3b69104ccda0e35cee7eb881bf1817cbf37f39b25dac6d26b15745d41fdd54996118db72954af2618e59b54eda032

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFC4.tmp
Filesize
1KB

MD5
524e52c8f62842fd02e9f98e2e1120da

SHA1
948f7b9fc6b2edc22c0a6205dd61ece81dfb37a8

SHA256
4e53cd178d3354ac05d4747bc077498585c3db9cfa9f5d31a39bb10a9b51ebde

SHA512
e558a088ecba7eac7fb48d076fa4c128324264fd262a05de8b9e0b3368d1515feb3b4f1353f8595f94c92f5901a892e05f49e41a583029f6ddabde46f991675d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp.exe
Filesize
78KB

MD5
39cfb44e038f74c5bc053c5b20acfaee

SHA1
d5ce437425b3773ed0ed2425a33e2b0387c11055

SHA256
0b4efcbdbdcd63a538599f79c35b7ca875d57234d499cb24b8af551a21dae5ef

SHA512
f4942027b457eb2d0eed38f1ee293f34e76a4d0c2715ef6b280832f270f5635c2fef0619c9f1312c6a38db3dbdb8994601e7d5bfd1282631b28c42eb9aff8400

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp.exe
Filesize
78KB

MD5
39cfb44e038f74c5bc053c5b20acfaee

SHA1
d5ce437425b3773ed0ed2425a33e2b0387c11055

SHA256
0b4efcbdbdcd63a538599f79c35b7ca875d57234d499cb24b8af551a21dae5ef

SHA512
f4942027b457eb2d0eed38f1ee293f34e76a4d0c2715ef6b280832f270f5635c2fef0619c9f1312c6a38db3dbdb8994601e7d5bfd1282631b28c42eb9aff8400

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFFC3.tmp
Filesize
660B

MD5
cc3b2697d0020a4425ad34964a3bf8c2

SHA1
54c6048bb2ce1e3157621e7e1baedc89505ada89

SHA256
56d3991d37814781c7fb74401749c9a45105190e800c1aec9c4b0bea24c5b3a2

SHA512
7f6a44203ca28750cd1aacaa745e774fba982075ac7cc195aad57d2f37720398edebb60edb1ef58f9fffd37054381d6574e04ea5c2411238ab8a47db29583a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp.exe
Filesize
78KB

MD5
39cfb44e038f74c5bc053c5b20acfaee

SHA1
d5ce437425b3773ed0ed2425a33e2b0387c11055

SHA256
0b4efcbdbdcd63a538599f79c35b7ca875d57234d499cb24b8af551a21dae5ef

SHA512
f4942027b457eb2d0eed38f1ee293f34e76a4d0c2715ef6b280832f270f5635c2fef0619c9f1312c6a38db3dbdb8994601e7d5bfd1282631b28c42eb9aff8400

Download Submit
\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp.exe
Filesize
78KB

MD5
39cfb44e038f74c5bc053c5b20acfaee

SHA1
d5ce437425b3773ed0ed2425a33e2b0387c11055

SHA256
0b4efcbdbdcd63a538599f79c35b7ca875d57234d499cb24b8af551a21dae5ef

SHA512
f4942027b457eb2d0eed38f1ee293f34e76a4d0c2715ef6b280832f270f5635c2fef0619c9f1312c6a38db3dbdb8994601e7d5bfd1282631b28c42eb9aff8400

Download Submit
memory/1092-59-0x0000000000000000-mapping.dmp

Download
memory/1236-55-0x0000000000000000-mapping.dmp

Download
memory/1360-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1360-68-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-65-0x0000000000000000-mapping.dmp

Download
memory/1744-69-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-70-0x00000000003A5000-0x00000000003B6000-memory.dmp

Filesize
68KB

Download