metamorpherrat | 75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f

Analysis

max time kernel
181s
max time network
184s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe
Size

78KB
MD5

00b01e3ae42a148b96973f119918429e
SHA1

6c07708b750ff2e650ab3845544b138b65a597c4
SHA256

75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f
SHA512

899d5fabfa77d237e533615b10bd659965ffd212f015e6a8dbf6bd729a0c0b0af29a05db41721182987ffdd8dd1be72cb352577c53baf12fd49280fe62b338a0

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp7550.tmp.exe

pid process

1136 tmp7550.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp7550.tmp.exe

pid process

1136 tmp7550.tmp.exe

pid	process
1136	tmp7550.tmp.exe

pid	process
1136	tmp7550.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe

pid	process
2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe
2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7550.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7550.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exetmp7550.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe
Token: SeDebugPrivilege	1136	tmp7550.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exevbc.exe

description	pid	process	target process
PID 2016 wrote to memory of 1528	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	vbc.exe
PID 2016 wrote to memory of 1528	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	vbc.exe
PID 2016 wrote to memory of 1528	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	vbc.exe
PID 2016 wrote to memory of 1528	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	vbc.exe
PID 1528 wrote to memory of 1500	1528	vbc.exe	cvtres.exe
PID 1528 wrote to memory of 1500	1528	vbc.exe	cvtres.exe
PID 1528 wrote to memory of 1500	1528	vbc.exe	cvtres.exe
PID 1528 wrote to memory of 1500	1528	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1136	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	tmp7550.tmp.exe
PID 2016 wrote to memory of 1136	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	tmp7550.tmp.exe
PID 2016 wrote to memory of 1136	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	tmp7550.tmp.exe
PID 2016 wrote to memory of 1136	2016	75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe	tmp7550.tmp.exe

C:\Users\Admin\AppData\Local\Temp\75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe
"C:\Users\Admin\AppData\Local\Temp\75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9zmaczxs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7689.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7688.tmp"
3⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\tmp7550.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7550.tmp.exe" C:\Users\Admin\AppData\Local\Temp\75028b8f62067e103aeda12fb97b3f99404e7a9a12bbb4525e3e3a8f9fbe5f3f.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9zmaczxs.0.vb
Filesize
15KB

MD5
ceb1179b6ebfbcfb05b4c6bac4567a9e

SHA1
8f665342bb0b1c67c5e12aab7c76693879eaa8dd

SHA256
7e1365f39c62414edaa5c83ee10db87a2bb02478ba56e4e0d3def2f487db63d8

SHA512
9944dc0d43ac2397a4e6ef75a0feecc9eedd19cd7a3f234ff57a327384f152e2ce644d14d24f611a3364ebc6f27382511dfefa61ac58de8634c83b1b464245c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9zmaczxs.cmdline
Filesize
266B

MD5
9f6ac776008f522298163275362a59dc

SHA1
4719cc80090c0c16ce339b76daf4386db3361bfd

SHA256
80723d55bac8aec0c03a9c65b20a0f70d8b0430ee8da2fa3b271398498751e5d

SHA512
901c2f3b2b3df874582b1e8cba140d86ca976384864378e5ea7599894501d5da59ed68e2ede01f20b7dd04d08cead7c8ac3cf4f1e44e15c9f149e8e256ba1c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7689.tmp
Filesize
1KB

MD5
e48cb5984f9f3aa68f77c9c026bd2f4e

SHA1
8d04e54307fe7fb59d783143bc15bdb9c6c3d7ac

SHA256
c06a9921477b24a5233de95f393c490cc3b8dc32e6a130385fe7a3fa913ba358

SHA512
a0ae30df8c00154ac87618db69aaa0b70b6bae73398b901b2d9eb47da14414216e97ac9b5e7b67d2d503ac3c63a58f68788c938f3282cb672f9b22f681917916

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7550.tmp.exe
Filesize
78KB

MD5
3cf20b2fb453dc2bc8ed8937c3d674ab

SHA1
c3f4420ccfdc0acf8f39baba83a85876125ccc99

SHA256
001f3da28ef41f017c36d4f2e29d85ba061efa7d65d6cdf234177528d709fbc3

SHA512
9ba3b146f7305016f83c068ba9efac9dcf693a68efa317f3f4271ec0f48bd2572d7aaaac88ff0483da7f2c05524b57232528cdc57ea70f766182bd396e5916f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7550.tmp.exe
Filesize
78KB

MD5
3cf20b2fb453dc2bc8ed8937c3d674ab

SHA1
c3f4420ccfdc0acf8f39baba83a85876125ccc99

SHA256
001f3da28ef41f017c36d4f2e29d85ba061efa7d65d6cdf234177528d709fbc3

SHA512
9ba3b146f7305016f83c068ba9efac9dcf693a68efa317f3f4271ec0f48bd2572d7aaaac88ff0483da7f2c05524b57232528cdc57ea70f766182bd396e5916f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7688.tmp
Filesize
660B

MD5
33414149dab4951496fe1b3b8cdc6852

SHA1
e125ee83925f78731ad69458d95ace4830f0cdbf

SHA256
15c52f9f229abecdf157d8f62684633a131c85c422447fb103bcc846b6421b02

SHA512
46d9a9e6e480c071074d091fd1163fdde8fdb8c1dfab87e0479d73a0ad0b76edb5dd8fdd0fe82e288d45054a6fb5b38da17c93dc8782e0272bde41e8cb2aed08

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7550.tmp.exe
Filesize
78KB

MD5
3cf20b2fb453dc2bc8ed8937c3d674ab

SHA1
c3f4420ccfdc0acf8f39baba83a85876125ccc99

SHA256
001f3da28ef41f017c36d4f2e29d85ba061efa7d65d6cdf234177528d709fbc3

SHA512
9ba3b146f7305016f83c068ba9efac9dcf693a68efa317f3f4271ec0f48bd2572d7aaaac88ff0483da7f2c05524b57232528cdc57ea70f766182bd396e5916f4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7550.tmp.exe
Filesize
78KB

MD5
3cf20b2fb453dc2bc8ed8937c3d674ab

SHA1
c3f4420ccfdc0acf8f39baba83a85876125ccc99

SHA256
001f3da28ef41f017c36d4f2e29d85ba061efa7d65d6cdf234177528d709fbc3

SHA512
9ba3b146f7305016f83c068ba9efac9dcf693a68efa317f3f4271ec0f48bd2572d7aaaac88ff0483da7f2c05524b57232528cdc57ea70f766182bd396e5916f4

Download Submit
memory/1136-66-0x0000000000000000-mapping.dmp

Download
memory/1136-69-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-70-0x00000000001A5000-0x00000000001B6000-memory.dmp

Filesize
68KB

Download
memory/1500-59-0x0000000000000000-mapping.dmp

Download
memory/1528-55-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2016-63-0x0000000074940000-0x0000000074EEB000-memory.dmp

Filesize
5.7MB

Download