metamorpherrat | 55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f

Analysis

max time kernel
4294213s
max time network
156s
platform
windows7_x64
resource
win7-20220310-en
submitted
30-03-2022 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe
Size

78KB
MD5

00e97630db58f3a15033efe1080bc6c4
SHA1

336e4facc000f10ca35129d4f627f0047642aff7
SHA256

55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f
SHA512

727cce055b2c0faa05a28066217093af8ffb541a4753d371a22003523cc127e6cd611b730d68ffb3a672f1ad1d1ef8e11c18a854cb2dc7fe2495d0d8afac7491

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp9176.tmp.exe

pid process

1640 tmp9176.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp9176.tmp.exe

pid process

1640 tmp9176.tmp.exe

pid	process
1640	tmp9176.tmp.exe

pid	process
1640	tmp9176.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe

pid	process
1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe
1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp9176.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9176.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exetmp9176.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe
Token: SeDebugPrivilege	1640	tmp9176.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exevbc.exe

description	pid	process	target process
PID 1708 wrote to memory of 1952	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	vbc.exe
PID 1708 wrote to memory of 1952	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	vbc.exe
PID 1708 wrote to memory of 1952	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	vbc.exe
PID 1708 wrote to memory of 1952	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	vbc.exe
PID 1952 wrote to memory of 1996	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 1996	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 1996	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 1996	1952	vbc.exe	cvtres.exe
PID 1708 wrote to memory of 1640	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	tmp9176.tmp.exe
PID 1708 wrote to memory of 1640	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	tmp9176.tmp.exe
PID 1708 wrote to memory of 1640	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	tmp9176.tmp.exe
PID 1708 wrote to memory of 1640	1708	55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe	tmp9176.tmp.exe

C:\Users\Admin\AppData\Local\Temp\55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe
"C:\Users\Admin\AppData\Local\Temp\55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tkgsih4a.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES952F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc952E.tmp"
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp9176.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9176.tmp.exe" C:\Users\Admin\AppData\Local\Temp\55124f40625edceab1c187c19fcd30a3c581137735cf9496279ce4f95446714f.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES952F.tmp
Filesize
1KB

MD5
b4478a707519145ff469ec6d239bf97a

SHA1
e6e094a7387b8377829257a74230174a5f4def2d

SHA256
2a70be9d2ffae750fb00487ee63244910c2b121696ab9a279f1c6f759e1dd1f0

SHA512
c27b832017538f53fc716d2db9eb74aa7e29a409ff59d83059ea042de07efc5bfab3016c5b0a6a5d7434c16a3ceba14c5dc4c1379d439304167cb96f26e3dcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkgsih4a.0.vb
Filesize
15KB

MD5
0ddd3d45d8089563e822d2c54f747b6c

SHA1
a9c48cf3cec3883e757a183286ab9afcce255e37

SHA256
c59efb34f44ec2778c87c0935a5dbecb7f9a57c2f9eae1acfabfee2ab6af1c6a

SHA512
3d4321919812d70686a98eb3c86a1adc050023bf8d63e0224cd335b8a9a0a1f57406ae9ef58086e4e14ec48dbd76ea6bd58c4671758b26d228fa1934f596251b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkgsih4a.cmdline
Filesize
266B

MD5
9622ab727c0b40929efbffd36c9264ac

SHA1
3eb5b670fb162e3c20a5a7ef2fbcb7a28df3c350

SHA256
ba3bb88072f58828c45af6e2bff6a7f1005ae64ade4ca15b2cb3a35579cda3b4

SHA512
812d4dafddcbcd417625df6a3cfd15088a9b6258b103dab245c40aa47859332bb3c84002bb1a33cf73c72ac354e20a48ac958b02d5e3cdd637e9bf0ddd8e2ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9176.tmp.exe
Filesize
78KB

MD5
21d4949a8d4369593c4a1b83194cf82c

SHA1
e7e67cfb6a816f5b8ebb8db8d95b2e758d0ad994

SHA256
e3ed2cdb653a84468e81f4d88c7d0ac4fc07458742b46f6c4a8f194600527855

SHA512
7a731b6a9329094e2121bf78f084c0b777cf076ee23989a944021a4a11bae6bf3abc499847bbe875715a8cc8c2670b9164817fe16a6f8c1c6604e86d9539341f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9176.tmp.exe
Filesize
78KB

MD5
21d4949a8d4369593c4a1b83194cf82c

SHA1
e7e67cfb6a816f5b8ebb8db8d95b2e758d0ad994

SHA256
e3ed2cdb653a84468e81f4d88c7d0ac4fc07458742b46f6c4a8f194600527855

SHA512
7a731b6a9329094e2121bf78f084c0b777cf076ee23989a944021a4a11bae6bf3abc499847bbe875715a8cc8c2670b9164817fe16a6f8c1c6604e86d9539341f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc952E.tmp
Filesize
660B

MD5
49d14b8374766bc0777e30e237a8b232

SHA1
c5203cc8ba667658e711ebe37d6ea3996629f938

SHA256
80ad6621dcf6cc09e5e296816064c53c8837616f0b691baac4e8612cba3bbb4c

SHA512
01373eb63e4a0b0b65e2d8c8904bc5bb079958ea10e69dbe54ea989e845f428f9b8e238dadb1c92bbfecf9c2265ee0b24ec1b24346cbe213a9ff3c8ef7e85b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9176.tmp.exe
Filesize
78KB

MD5
21d4949a8d4369593c4a1b83194cf82c

SHA1
e7e67cfb6a816f5b8ebb8db8d95b2e758d0ad994

SHA256
e3ed2cdb653a84468e81f4d88c7d0ac4fc07458742b46f6c4a8f194600527855

SHA512
7a731b6a9329094e2121bf78f084c0b777cf076ee23989a944021a4a11bae6bf3abc499847bbe875715a8cc8c2670b9164817fe16a6f8c1c6604e86d9539341f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9176.tmp.exe
Filesize
78KB

MD5
21d4949a8d4369593c4a1b83194cf82c

SHA1
e7e67cfb6a816f5b8ebb8db8d95b2e758d0ad994

SHA256
e3ed2cdb653a84468e81f4d88c7d0ac4fc07458742b46f6c4a8f194600527855

SHA512
7a731b6a9329094e2121bf78f084c0b777cf076ee23989a944021a4a11bae6bf3abc499847bbe875715a8cc8c2670b9164817fe16a6f8c1c6604e86d9539341f

Download Submit
memory/1640-66-0x0000000000000000-mapping.dmp

Download
memory/1640-69-0x0000000073DA0000-0x000000007434B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-70-0x00000000001C5000-0x00000000001D6000-memory.dmp

Filesize
68KB

Download
memory/1708-55-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-54-0x0000000075CA1000-0x0000000075CA3000-memory.dmp

Filesize
8KB

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download
memory/1996-60-0x0000000000000000-mapping.dmp

Download