metamorpherrat | 6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe
Size

78KB
MD5

0a5c54b7f730314ca2a40e5763a2bbda
SHA1

bbad076d9732eb7fa8f7f8917ad6afef159a992f
SHA256

6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9
SHA512

a35859e63013b2557bf7e6da5b2266b41cb88d72916e897dabd5a1b0f9b48db84cbbf4d76400ca449432c10a6c1051a69cc58814c632fd8c37f9fd838fce5087

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpF690.tmp.exe

pid process

1692 tmpF690.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpF690.tmp.exe

pid process

1692 tmpF690.tmp.exe

pid	process
1692	tmpF690.tmp.exe

pid	process
1692	tmpF690.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe

pid	process
456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe
456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF690.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpF690.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exetmpF690.tmp.exe

description	pid	process
Token: SeDebugPrivilege	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe
Token: SeDebugPrivilege	1692	tmpF690.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exevbc.exe

description	pid	process	target process
PID 456 wrote to memory of 2040	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	vbc.exe
PID 456 wrote to memory of 2040	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	vbc.exe
PID 456 wrote to memory of 2040	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	vbc.exe
PID 456 wrote to memory of 2040	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	vbc.exe
PID 2040 wrote to memory of 864	2040	vbc.exe	cvtres.exe
PID 2040 wrote to memory of 864	2040	vbc.exe	cvtres.exe
PID 2040 wrote to memory of 864	2040	vbc.exe	cvtres.exe
PID 2040 wrote to memory of 864	2040	vbc.exe	cvtres.exe
PID 456 wrote to memory of 1692	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	tmpF690.tmp.exe
PID 456 wrote to memory of 1692	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	tmpF690.tmp.exe
PID 456 wrote to memory of 1692	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	tmpF690.tmp.exe
PID 456 wrote to memory of 1692	456	6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe	tmpF690.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe
"C:\Users\Admin\AppData\Local\Temp\6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jmykgl6_.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF806.tmp"
3⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\tmpF690.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF690.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6fc7902a1237525e8fa7200e38f749e74fb9c410b9ceedb86f7214fe1bc4b4b9.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF807.tmp
Filesize
1KB

MD5
11906b639257a4849aa340ea081bc3c5

SHA1
d403f3555006a78e81b6bd9ac13aa476c8f44f64

SHA256
ba521e5fecfc6a2e5b3f81358a7107bfe5c51b034be3d483a7933de371353ff6

SHA512
f134e1fe9c5f5d5189c550eaad6262007382379ec9df7c131a064970d2e5b8a01edf90a6817ad33655c38f6f63381768200223c62a67802d622aab83faa95841

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmykgl6_.0.vb
Filesize
14KB

MD5
66003cef90385c914cb6ae023e3ed02d

SHA1
5f6c52a7079e28d9b855ba057756c0681a97030e

SHA256
dd1fbcadb99a70d45ec3cf83b826017c0bb3c52ca15f06afcf06bb9a718a43b8

SHA512
dc3cd106896c8d65190b9977d4cacbeeb8bfcabd5589224eda8dc3feb1cea00812918cb7c058973c8099a36682aa79dfeb52c3d8661fab018a03165b35fb62d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmykgl6_.cmdline
Filesize
266B

MD5
8bd16a36c792f66119ffee09aa29006d

SHA1
954ed8a0e2546f7c1d0629eb574c4d89648097d5

SHA256
c4a092f0d51be813c513687ee0b84941ab91ec676cd3ff4f3f0c85eb9846a8ee

SHA512
87cf8543710def91477d6e43c8d759a6ae2eb2791392ea0d6dacb4bd370a25e4d66088c4afb3d22ed5d8ece71acdbe15eafe15fd356b28dd36897363146f9205

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF690.tmp.exe
Filesize
78KB

MD5
d83df7f24f9c6f0e218856168a71b2d0

SHA1
7f03a23480c08fc40a07404f2d261ca14cb78f73

SHA256
7009332ae62074258292217208d05269b9ba840d4af34229496b2157d15ab9ee

SHA512
7805014b7bb32ae1f078312069abdf3ce1d0727e8273f4759b8215a6afadd300f269634b8937f164aaf48ade115d01eb6f3600055483222e0a5975f071c4a1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF690.tmp.exe
Filesize
78KB

MD5
d83df7f24f9c6f0e218856168a71b2d0

SHA1
7f03a23480c08fc40a07404f2d261ca14cb78f73

SHA256
7009332ae62074258292217208d05269b9ba840d4af34229496b2157d15ab9ee

SHA512
7805014b7bb32ae1f078312069abdf3ce1d0727e8273f4759b8215a6afadd300f269634b8937f164aaf48ade115d01eb6f3600055483222e0a5975f071c4a1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF806.tmp
Filesize
660B

MD5
7b7210adbec153d815343c10bb853806

SHA1
60bdcc6498f22d3b85723542bc9a4ce2b1a53b1b

SHA256
562df6ac18adf166488b6f8aea31e89db44c57fcd58851fd347e864c4c33150e

SHA512
b63875076fb72c0a63bfa157e6b6d0a5eb2a3b7ef1811c0036782e846779905515a4f0033b8a843d0194c3eb02ae2e3beb465e97590df43612280a32d7e06be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF690.tmp.exe
Filesize
78KB

MD5
d83df7f24f9c6f0e218856168a71b2d0

SHA1
7f03a23480c08fc40a07404f2d261ca14cb78f73

SHA256
7009332ae62074258292217208d05269b9ba840d4af34229496b2157d15ab9ee

SHA512
7805014b7bb32ae1f078312069abdf3ce1d0727e8273f4759b8215a6afadd300f269634b8937f164aaf48ade115d01eb6f3600055483222e0a5975f071c4a1ae

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF690.tmp.exe
Filesize
78KB

MD5
d83df7f24f9c6f0e218856168a71b2d0

SHA1
7f03a23480c08fc40a07404f2d261ca14cb78f73

SHA256
7009332ae62074258292217208d05269b9ba840d4af34229496b2157d15ab9ee

SHA512
7805014b7bb32ae1f078312069abdf3ce1d0727e8273f4759b8215a6afadd300f269634b8937f164aaf48ade115d01eb6f3600055483222e0a5975f071c4a1ae

Download Submit
memory/456-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/456-58-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/864-60-0x0000000000000000-mapping.dmp

Download
memory/1692-66-0x0000000000000000-mapping.dmp

Download
memory/1692-69-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-70-0x00000000020F5000-0x0000000002106000-memory.dmp

Filesize
68KB

Download
memory/2040-55-0x0000000000000000-mapping.dmp

Download