metamorpherrat | 2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b

Analysis

max time kernel
191s
max time network
219s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe
Size

78KB
MD5

02bccae761f9425535ab87176a1c5e8f
SHA1

448d4066d6ca52b9c12bd8a26c6af84235710d6c
SHA256

2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b
SHA512

707a9b56420765bea951bba9584439f59f2f8a6e5ff29405a39f95736eafa7ab32b2b63b57ab495eda7bd38558cdef4f5ad68a4df55808f21840ff573da10f52

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF0E5.tmp.exe

pid process

896 tmpF0E5.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpF0E5.tmp.exe

pid process

896 tmpF0E5.tmp.exe

pid	process
896	tmpF0E5.tmp.exe

pid	process
896	tmpF0E5.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe

pid	process
1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe
1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF0E5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpF0E5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exetmpF0E5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe
Token: SeDebugPrivilege	896	tmpF0E5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exevbc.exe

description	pid	process	target process
PID 1488 wrote to memory of 1400	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	vbc.exe
PID 1488 wrote to memory of 1400	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	vbc.exe
PID 1488 wrote to memory of 1400	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	vbc.exe
PID 1488 wrote to memory of 1400	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	vbc.exe
PID 1400 wrote to memory of 1316	1400	vbc.exe	cvtres.exe
PID 1400 wrote to memory of 1316	1400	vbc.exe	cvtres.exe
PID 1400 wrote to memory of 1316	1400	vbc.exe	cvtres.exe
PID 1400 wrote to memory of 1316	1400	vbc.exe	cvtres.exe
PID 1488 wrote to memory of 896	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	tmpF0E5.tmp.exe
PID 1488 wrote to memory of 896	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	tmpF0E5.tmp.exe
PID 1488 wrote to memory of 896	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	tmpF0E5.tmp.exe
PID 1488 wrote to memory of 896	1488	2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe	tmpF0E5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe
"C:\Users\Admin\AppData\Local\Temp\2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0uqr8dwp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF568.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF567.tmp"
3⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\tmpF0E5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF0E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2411389fc9138893308a7abc2f8249e411d00568c91401ea40574fbb8959184b.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0uqr8dwp.0.vb
Filesize
14KB

MD5
1100fb6056cf93a790ac6063e93affbd

SHA1
0a1baa385582bcefe60b32e6c35b44b189b7bef2

SHA256
06d98ff1e99b7a5566a5cefa2e6ee05b077ca5d5e7fc4d9f5b577a08ce6218c3

SHA512
b1d70740367a0746dac22cc6d950a8a66b55b82459e8dc26a9f6cbf1c38535da23a535a131c3cf357f90832f5d7365f767ca2567875ad963f8acb2eac7be5560

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uqr8dwp.cmdline
Filesize
266B

MD5
4a30c24f017d9a84e3e00ac2a6c875e8

SHA1
3fc78474da48a767b3bfe691a6d523c2da25051f

SHA256
5e575736a48dbb66733d8c2984d029fd8b15fc27724ec6c5d494435a9223c5ec

SHA512
dffdb91f33cb95556258de17b4fc20a1004110bb5c90b879ad1af4a9b9b20329fe38ffe87942b2c776017fa3579b134cd8c7e97378bb08b071ef3edcb169328a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF568.tmp
Filesize
1KB

MD5
d6ce8e0c2106eb6106eada344fc9aa48

SHA1
614856e4884bbadee51ba247fbfe25c7c13db78d

SHA256
a6fbd49ffb9e510f2c217337bd1f989413f0c774d7e8f1798ceb8d36f4f22f23

SHA512
5b326d9a21a873e2f69f4ee46b218a6ab91cea2f27688ff8a798233adcb2226d36fa714b3465fc1d106ab0fa1f53c10996f4d9236bd7210f46845049f4d3aeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0E5.tmp.exe
Filesize
78KB

MD5
cca9224692cc40662466d8d8bc9d1c6f

SHA1
b2957e5ad1722159ce95dd70b7f6cb2d21710f6e

SHA256
912127df68e51dab1ef55e6cdedb2a67a6c4fda709dd575e135056e90d5722e8

SHA512
5700f9104f81c8ce3071313867c6bc8c4c1e91fbe1bfa1ad6996e53a95a1f558e04af6d2ad1a839673bcc26c37bc3953c0c4f118a58d0a4f37155caa0f270cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0E5.tmp.exe
Filesize
78KB

MD5
cca9224692cc40662466d8d8bc9d1c6f

SHA1
b2957e5ad1722159ce95dd70b7f6cb2d21710f6e

SHA256
912127df68e51dab1ef55e6cdedb2a67a6c4fda709dd575e135056e90d5722e8

SHA512
5700f9104f81c8ce3071313867c6bc8c4c1e91fbe1bfa1ad6996e53a95a1f558e04af6d2ad1a839673bcc26c37bc3953c0c4f118a58d0a4f37155caa0f270cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF567.tmp
Filesize
660B

MD5
ba3a0809ec1862086490802210ffd7da

SHA1
2e69218f23ecbed3116c05e539bec81c4b29fdf3

SHA256
857e28735ff2a97d9f9e6a6a99b967d85038577b5e1b5eff125acdc9bb35da12

SHA512
5b28d1b57ded09c623531e95ee2318639769eb42f6fe573356c945bf316d861d92d11656baa2afa37c13c3a47c438af9f54e3d4369a5257431ffb93587dd174c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF0E5.tmp.exe
Filesize
78KB

MD5
cca9224692cc40662466d8d8bc9d1c6f

SHA1
b2957e5ad1722159ce95dd70b7f6cb2d21710f6e

SHA256
912127df68e51dab1ef55e6cdedb2a67a6c4fda709dd575e135056e90d5722e8

SHA512
5700f9104f81c8ce3071313867c6bc8c4c1e91fbe1bfa1ad6996e53a95a1f558e04af6d2ad1a839673bcc26c37bc3953c0c4f118a58d0a4f37155caa0f270cc8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF0E5.tmp.exe
Filesize
78KB

MD5
cca9224692cc40662466d8d8bc9d1c6f

SHA1
b2957e5ad1722159ce95dd70b7f6cb2d21710f6e

SHA256
912127df68e51dab1ef55e6cdedb2a67a6c4fda709dd575e135056e90d5722e8

SHA512
5700f9104f81c8ce3071313867c6bc8c4c1e91fbe1bfa1ad6996e53a95a1f558e04af6d2ad1a839673bcc26c37bc3953c0c4f118a58d0a4f37155caa0f270cc8

Download Submit
memory/896-66-0x0000000000000000-mapping.dmp

Download
memory/896-69-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/896-70-0x0000000002095000-0x00000000020A6000-memory.dmp

Filesize
68KB

Download
memory/1316-60-0x0000000000000000-mapping.dmp

Download
memory/1400-56-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download