metamorpherrat | 763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738

Analysis

max time kernel
150s
max time network
161s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe
Size

78KB
MD5

016f7f4cdd91ff5da68185b7492e7457
SHA1

ff2d20723a34b92ca4f5b8b1cd0e1edff633b5bb
SHA256

763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738
SHA512

ee6308f4cb87605c190461038fc7d70315374f5d8535ec576d8f9b3995aba1d1918116f53759602b9f8f2d52f7269100466c15a26ca94d1f599f99b7bde4224e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp11DC.tmp.exe

pid process

1532 tmp11DC.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp11DC.tmp.exe

pid process

1532 tmp11DC.tmp.exe

pid	process
1532	tmp11DC.tmp.exe

pid	process
1532	tmp11DC.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe

pid	process
1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe
1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp11DC.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp11DC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exetmp11DC.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe
Token: SeDebugPrivilege	1532	tmp11DC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exevbc.exe

description	pid	process	target process
PID 1360 wrote to memory of 1736	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	vbc.exe
PID 1360 wrote to memory of 1736	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	vbc.exe
PID 1360 wrote to memory of 1736	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	vbc.exe
PID 1360 wrote to memory of 1736	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	vbc.exe
PID 1736 wrote to memory of 1208	1736	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 1208	1736	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 1208	1736	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 1208	1736	vbc.exe	cvtres.exe
PID 1360 wrote to memory of 1532	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	tmp11DC.tmp.exe
PID 1360 wrote to memory of 1532	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	tmp11DC.tmp.exe
PID 1360 wrote to memory of 1532	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	tmp11DC.tmp.exe
PID 1360 wrote to memory of 1532	1360	763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe	tmp11DC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe
"C:\Users\Admin\AppData\Local\Temp\763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0oiiwsll.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1335.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1324.tmp"
3⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\tmp11DC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp11DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\763fc4b26e62c282d2c3dc30b50357c4b99d9d2982aafa70b749430d3916e738.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0oiiwsll.0.vb
Filesize
15KB

MD5
c9b4973e3efa3e4cbd2799e5a1c42a64

SHA1
47252d397db00e7c75a0fc9add574a66914e12ea

SHA256
d4e7f8a9ab54eee819cb7c21d6ece7954db555af51af36174ad9d548aa6deba8

SHA512
91d9dce42c919028b4c8fde51618465dc4a9ccfecfa3669ab151dbe16f6cd20b51844f1b0693f7c3a1a11e2c4af5f605caf7ad3dc4f05448f91c576e33890a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\0oiiwsll.cmdline
Filesize
266B

MD5
41ab13663e636b1c667e5c356a4c454f

SHA1
b1b692e2afe881afdd3f72e386ec7d8f51770df8

SHA256
d316e63ab4136d09400a83f4bac7e610c3f9279ba7504337d6cfe6a5947b3a48

SHA512
de9b5ad95ef14c434a94bb38bb604896ce261e518df6572a0a243863c1eec88468a0f324b78dd2dfce483afce62516f7e850f78ac18264c4c552c182e0d11857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1335.tmp
Filesize
1KB

MD5
e00bb754d8fab2dbb0ca0cd544f9d4f9

SHA1
be4d16781a724dc59174464c792b1fd37a29a577

SHA256
5fbd3a4adf4b7f3800b10179ea80b99b2ca52a2a56466c9413986d48a86b3674

SHA512
d4399068ad9944ec5e1a14717fbfc329faddffd8b944a6034ce9e0958254766f4cf31794ef75eaf914cd599bd465b3167d17858e0781a1d7b640fa46c1443c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11DC.tmp.exe
Filesize
78KB

MD5
d756b022ede18d811a7110610c74250b

SHA1
130f53416d9db1056938688b2160b463477560b9

SHA256
89bbabfe7e6bc7287ad4df69250b8c0d7cf0d7a036ccb5f0949f3ceccd4b424b

SHA512
adab9ccdb91c134b931e4c67c8417667d52d9218290ad8da01f4b5481a679ff27d8b7faa0227c6c1129cec62e6861653695232e1e5436f1f148c4df80817f144

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11DC.tmp.exe
Filesize
78KB

MD5
d756b022ede18d811a7110610c74250b

SHA1
130f53416d9db1056938688b2160b463477560b9

SHA256
89bbabfe7e6bc7287ad4df69250b8c0d7cf0d7a036ccb5f0949f3ceccd4b424b

SHA512
adab9ccdb91c134b931e4c67c8417667d52d9218290ad8da01f4b5481a679ff27d8b7faa0227c6c1129cec62e6861653695232e1e5436f1f148c4df80817f144

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1324.tmp
Filesize
660B

MD5
ac0f67295cece81e97ff067b812c9572

SHA1
a74b92b274a2b9059d447ee4fb7ae455551e6717

SHA256
bda50d498bd9afa5b8718a5589abd6589e323052727c9192442ef86472693567

SHA512
279c4d83d73758bc15c1d91cfeac21b98bef74efddc0ecc4a8c3b4bf94f48c42ae6d0bb8440e1dd3257f5479768e6b74c1ae7db344f632975e92eef75b281d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp11DC.tmp.exe
Filesize
78KB

MD5
d756b022ede18d811a7110610c74250b

SHA1
130f53416d9db1056938688b2160b463477560b9

SHA256
89bbabfe7e6bc7287ad4df69250b8c0d7cf0d7a036ccb5f0949f3ceccd4b424b

SHA512
adab9ccdb91c134b931e4c67c8417667d52d9218290ad8da01f4b5481a679ff27d8b7faa0227c6c1129cec62e6861653695232e1e5436f1f148c4df80817f144

Download Submit
\Users\Admin\AppData\Local\Temp\tmp11DC.tmp.exe
Filesize
78KB

MD5
d756b022ede18d811a7110610c74250b

SHA1
130f53416d9db1056938688b2160b463477560b9

SHA256
89bbabfe7e6bc7287ad4df69250b8c0d7cf0d7a036ccb5f0949f3ceccd4b424b

SHA512
adab9ccdb91c134b931e4c67c8417667d52d9218290ad8da01f4b5481a679ff27d8b7faa0227c6c1129cec62e6861653695232e1e5436f1f148c4df80817f144

Download Submit
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/1360-54-0x00000000755D1000-0x00000000755D3000-memory.dmp

Filesize
8KB

Download
memory/1360-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1532-66-0x0000000000000000-mapping.dmp

Download
memory/1532-69-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-70-0x00000000002C5000-0x00000000002D6000-memory.dmp

Filesize
68KB

Download
memory/1736-56-0x0000000000000000-mapping.dmp

Download