metamorpherrat | 62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a

Analysis

max time kernel
169s
max time network
177s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe
Size

78KB
MD5

2a6aaeb07a75c51a7c34953b10686718
SHA1

f222465fdb3db0d03deeb3e9f2452426e468436b
SHA256

62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a
SHA512

0490ab4587bceb5beda388b6c3295576e3e56b150523244529e5122e14d4aaa0cbe4a9c443738ee3192782f8c39a2dfd22503c64ce6896128e059c44955ac497

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp56E7.tmp.exe

pid process

1716 tmp56E7.tmp.exe

pid	process
1716	tmp56E7.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe

pid	process
1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe
1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp56E7.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp56E7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exetmp56E7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe
Token: SeDebugPrivilege	1716	tmp56E7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exevbc.exe

description	pid	process	target process
PID 1980 wrote to memory of 1204	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	vbc.exe
PID 1980 wrote to memory of 1204	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	vbc.exe
PID 1980 wrote to memory of 1204	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	vbc.exe
PID 1980 wrote to memory of 1204	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	vbc.exe
PID 1204 wrote to memory of 1124	1204	vbc.exe	cvtres.exe
PID 1204 wrote to memory of 1124	1204	vbc.exe	cvtres.exe
PID 1204 wrote to memory of 1124	1204	vbc.exe	cvtres.exe
PID 1204 wrote to memory of 1124	1204	vbc.exe	cvtres.exe
PID 1980 wrote to memory of 1716	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	tmp56E7.tmp.exe
PID 1980 wrote to memory of 1716	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	tmp56E7.tmp.exe
PID 1980 wrote to memory of 1716	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	tmp56E7.tmp.exe
PID 1980 wrote to memory of 1716	1980	62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe	tmp56E7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe
"C:\Users\Admin\AppData\Local\Temp\62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dclgxnpm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5830.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc582F.tmp"
3⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tmp56E7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp56E7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62793d226b65afcedf9ee1f2b6a58229576af85f53bd0fa963198460700caf6a.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5830.tmp
Filesize
1KB

MD5
910c4c7381a4ddda6150f9c666512e75

SHA1
8f16f1923d3dd30bd34a0868785b8f7bfb82b153

SHA256
b0eb2ecb0bd2aa575b8afaab5dc19fed9eae720114432bc7c5996a2e56f40c57

SHA512
34fc46fd3012685accae298b59d4e9ab7dcffcbd3144a439ffa7f77f203ff5e4f93f371dc39554625802b7cf044270eaa944561fe38ca16d08ab67a6eb9c4ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dclgxnpm.0.vb
Filesize
15KB

MD5
d6d219fed83ed096a581ced66394c954

SHA1
a208318339de616fc2986941da7840a4a9e882a1

SHA256
97b3abb66b1d4498f917471344273427b082854ca97d535288b514aa726c2337

SHA512
648a303f4abd8fae80dcf266bcfc2c366f462fc2c578ee8ea663c66f074f86d3d6621839f29bb4728a6ffa522f0023337d6ce15a9095e54d065e5eb6c7202029

Download Submit
C:\Users\Admin\AppData\Local\Temp\dclgxnpm.cmdline
Filesize
266B

MD5
c4b9d8d93191b010080244303397f742

SHA1
e13e5606b9f6aaa53a8934676dfdf6747537e4cf

SHA256
3cac5ac0c7c8e1a26a8353f9b91bcdaec5fddec18fc82c98cc5e474d3a6845a1

SHA512
1dfc0ab3e2a69844e66c177979c29934a1b074e8216d546367403daf0a44803f2d0479a720a3037375eb25132e8e6871ff20db6c4f147fe472a81d1ad30f3c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56E7.tmp.exe
Filesize
78KB

MD5
16aa900836ad2d205c48777d36eceb73

SHA1
8f09e31d4a60c61f7b8784c1c43ac29c4373e19f

SHA256
56a7fe0de5774bcf31cad974103958459105e575de3e529e1a37c59992938a0a

SHA512
89a2624c03bfab9d07901d8c3ff261b3fba8d67caa549e180ebcd7821ce337502a04f3c95d10136aac61decbd8fd2436f7da2ef4f3c3c65fbc54f9d9309dbf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56E7.tmp.exe
Filesize
78KB

MD5
16aa900836ad2d205c48777d36eceb73

SHA1
8f09e31d4a60c61f7b8784c1c43ac29c4373e19f

SHA256
56a7fe0de5774bcf31cad974103958459105e575de3e529e1a37c59992938a0a

SHA512
89a2624c03bfab9d07901d8c3ff261b3fba8d67caa549e180ebcd7821ce337502a04f3c95d10136aac61decbd8fd2436f7da2ef4f3c3c65fbc54f9d9309dbf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc582F.tmp
Filesize
660B

MD5
ac3c1681a2fd1419125835f6a640ead2

SHA1
2ec8e5a0136831b539a00f16273d7b8068453ca9

SHA256
bbf623b5a51d90384ee44ed46a40e6cbb73357e37883e0a01156b88208319a89

SHA512
743864225476f2072a887483dbfa8ad8be27a1a667fef30666bbf7150a5243173b62174fb857ca4f822e1ec2f4f0c845670617bc9d3eca85335b50927bcadc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp56E7.tmp.exe
Filesize
78KB

MD5
16aa900836ad2d205c48777d36eceb73

SHA1
8f09e31d4a60c61f7b8784c1c43ac29c4373e19f

SHA256
56a7fe0de5774bcf31cad974103958459105e575de3e529e1a37c59992938a0a

SHA512
89a2624c03bfab9d07901d8c3ff261b3fba8d67caa549e180ebcd7821ce337502a04f3c95d10136aac61decbd8fd2436f7da2ef4f3c3c65fbc54f9d9309dbf35

Download Submit
\Users\Admin\AppData\Local\Temp\tmp56E7.tmp.exe
Filesize
78KB

MD5
16aa900836ad2d205c48777d36eceb73

SHA1
8f09e31d4a60c61f7b8784c1c43ac29c4373e19f

SHA256
56a7fe0de5774bcf31cad974103958459105e575de3e529e1a37c59992938a0a

SHA512
89a2624c03bfab9d07901d8c3ff261b3fba8d67caa549e180ebcd7821ce337502a04f3c95d10136aac61decbd8fd2436f7da2ef4f3c3c65fbc54f9d9309dbf35

Download Submit
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1204-55-0x0000000000000000-mapping.dmp

Download
memory/1716-69-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-65-0x0000000000000000-mapping.dmp

Download
memory/1716-70-0x0000000000425000-0x0000000000436000-memory.dmp

Filesize
68KB

Download
memory/1980-54-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/1980-68-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download