metamorpherrat | 3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e

Analysis

max time kernel
4294211s
max time network
152s
platform
windows7_x64
resource
win7-20220311-en
submitted
30-03-2022 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe
Size

78KB
MD5

10dc56c61c5df82374ded65e8520b09d
SHA1

b0b809fc1fdbfea6f1d9b3984ddbc1878a8c7c7a
SHA256

3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e
SHA512

4f9089deabe313db1e328f137344175d345fae47c36eb27995a8dade608e5d658ff626ff61bdc02a0d122ed919150e3842fd088733d873b2e17a63d630c68c77

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp7677.tmp.exe

pid process

968 tmp7677.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp7677.tmp.exe

pid process

968 tmp7677.tmp.exe

pid	process
968	tmp7677.tmp.exe

pid	process
968	tmp7677.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe

pid	process
972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe
972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7677.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7677.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exetmp7677.tmp.exe

description	pid	process
Token: SeDebugPrivilege	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe
Token: SeDebugPrivilege	968	tmp7677.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exevbc.exe

description	pid	process	target process
PID 972 wrote to memory of 1548	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	vbc.exe
PID 972 wrote to memory of 1548	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	vbc.exe
PID 972 wrote to memory of 1548	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	vbc.exe
PID 972 wrote to memory of 1548	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	vbc.exe
PID 1548 wrote to memory of 1856	1548	vbc.exe	cvtres.exe
PID 1548 wrote to memory of 1856	1548	vbc.exe	cvtres.exe
PID 1548 wrote to memory of 1856	1548	vbc.exe	cvtres.exe
PID 1548 wrote to memory of 1856	1548	vbc.exe	cvtres.exe
PID 972 wrote to memory of 968	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	tmp7677.tmp.exe
PID 972 wrote to memory of 968	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	tmp7677.tmp.exe
PID 972 wrote to memory of 968	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	tmp7677.tmp.exe
PID 972 wrote to memory of 968	972	3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe	tmp7677.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe
"C:\Users\Admin\AppData\Local\Temp\3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ii6c1pax.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78C8.tmp"
3⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\tmp7677.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7677.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3034efabb0240462e2919ac133ab27372337bae94ce1e75fb9b60cb7033f244e.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES78C9.tmp
Filesize
1KB

MD5
8ae139fa774f6967cca3c040a326f869

SHA1
85f9f803bc8341ae283dc6c6fed54e2d968e9d3d

SHA256
b79065c58a9d7cf9c2123b69c7d210a3227301224f574eadfd9552d9d0c2bbf5

SHA512
ff23a2ae462c67d80e6eb816cf4ba120eed91d9a7400128397278a9572f1ed13d0a86ec3675801297a9b5d9095c5a8e1761ba5b4a9feb93b2392fa83fcc9cd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ii6c1pax.0.vb
Filesize
15KB

MD5
d0b8b5f399d8c04bb91ec10d76148f5a

SHA1
122ab8c030241b462151e167c83d3a31bf355133

SHA256
01a58ef64876bc0c654085142f170f5f4d29d58546962903f077d493610a0587

SHA512
74f0749d50ff4bff5056820af0866eee3c073ca8b11a1f135b7ad73d143953aec3f2f617d351e196723cec09a2353304feef38d1cc9dcd538ace503909a2c544

Download Submit
C:\Users\Admin\AppData\Local\Temp\ii6c1pax.cmdline
Filesize
266B

MD5
61397943e09235268ddbe583b491bbf5

SHA1
7eb76835d6c4ea18f71e2191f1dc4cf751609d12

SHA256
3de771221db6e9586a9e9b1daf90db22bf839d208b64475a5bd0e2f1eca7095e

SHA512
01e0c9255bc605c3d3615c07fedc59b899a2ad2223b37af64dd2e5adee3e765b3410a5138d5bb0d6a1e3a9e2aa215df4dd9cad297f598484e3e4d4b9d96d002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7677.tmp.exe
Filesize
78KB

MD5
33feac2c8f09b28e48c7ad2afe9a77f7

SHA1
42cc1d624126ca618e1c8f6839a862287b8a1e92

SHA256
8532fa04216d5c27bd3c261e89e30ebd166b1ebe895d280ab99c50867f939d18

SHA512
c62d84aca2b5bf071184fbe7937095576c54b912375c014689175e448c5762d2ef9217dc404983130fe2d5b70de9a15e28d823b80e0bfb02751b25b83d9f6dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7677.tmp.exe
Filesize
78KB

MD5
33feac2c8f09b28e48c7ad2afe9a77f7

SHA1
42cc1d624126ca618e1c8f6839a862287b8a1e92

SHA256
8532fa04216d5c27bd3c261e89e30ebd166b1ebe895d280ab99c50867f939d18

SHA512
c62d84aca2b5bf071184fbe7937095576c54b912375c014689175e448c5762d2ef9217dc404983130fe2d5b70de9a15e28d823b80e0bfb02751b25b83d9f6dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc78C8.tmp
Filesize
660B

MD5
9f1d3c54fb149a84ba4c33f4c1ef777c

SHA1
be95cec6d0b8e2a5c8a403bd548731de6a8be858

SHA256
abc400cd5f8bf0d463171114a2eb914be5514de953a8589db92b1a4d2f1e9690

SHA512
eb726ea6e6247722f11520610ac96b0fa00b731a78dae5f28cd4809428653ec8f95472076960cb250653ba1829a4a6194818ab5728d502991a73b79ab6cc13dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7677.tmp.exe
Filesize
78KB

MD5
33feac2c8f09b28e48c7ad2afe9a77f7

SHA1
42cc1d624126ca618e1c8f6839a862287b8a1e92

SHA256
8532fa04216d5c27bd3c261e89e30ebd166b1ebe895d280ab99c50867f939d18

SHA512
c62d84aca2b5bf071184fbe7937095576c54b912375c014689175e448c5762d2ef9217dc404983130fe2d5b70de9a15e28d823b80e0bfb02751b25b83d9f6dab

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7677.tmp.exe
Filesize
78KB

MD5
33feac2c8f09b28e48c7ad2afe9a77f7

SHA1
42cc1d624126ca618e1c8f6839a862287b8a1e92

SHA256
8532fa04216d5c27bd3c261e89e30ebd166b1ebe895d280ab99c50867f939d18

SHA512
c62d84aca2b5bf071184fbe7937095576c54b912375c014689175e448c5762d2ef9217dc404983130fe2d5b70de9a15e28d823b80e0bfb02751b25b83d9f6dab

Download Submit
memory/968-66-0x0000000000000000-mapping.dmp

Download
memory/968-69-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/968-70-0x0000000001F75000-0x0000000001F86000-memory.dmp

Filesize
68KB

Download
memory/972-56-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/972-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1548-55-0x0000000000000000-mapping.dmp

Download
memory/1856-60-0x0000000000000000-mapping.dmp

Download