metamorpherrat | 217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc

Analysis

max time kernel
152s
max time network
183s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe
Size

78KB
MD5

01512058be0a28a400ad3b3c8f7a8cd4
SHA1

b0c69acd1f534724b97b3cf10459cfb30c24d14e
SHA256

217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc
SHA512

d957f42c463568fab2d5e11dd723b4347d6883623261fde4481ccb01013207556c0cfe486045c89635f266f9c39edd51ba635592f6a4f324e651f45f5194b02e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp63B3.tmp.exe

pid process

1296 tmp63B3.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp63B3.tmp.exe

pid process

1296 tmp63B3.tmp.exe

pid	process
1296	tmp63B3.tmp.exe

pid	process
1296	tmp63B3.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe

pid	process
532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe
532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp63B3.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp63B3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exetmp63B3.tmp.exe

description	pid	process
Token: SeDebugPrivilege	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe
Token: SeDebugPrivilege	1296	tmp63B3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exevbc.exe

description	pid	process	target process
PID 532 wrote to memory of 608	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	vbc.exe
PID 532 wrote to memory of 608	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	vbc.exe
PID 532 wrote to memory of 608	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	vbc.exe
PID 532 wrote to memory of 608	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	vbc.exe
PID 608 wrote to memory of 1408	608	vbc.exe	cvtres.exe
PID 608 wrote to memory of 1408	608	vbc.exe	cvtres.exe
PID 608 wrote to memory of 1408	608	vbc.exe	cvtres.exe
PID 608 wrote to memory of 1408	608	vbc.exe	cvtres.exe
PID 532 wrote to memory of 1296	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	tmp63B3.tmp.exe
PID 532 wrote to memory of 1296	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	tmp63B3.tmp.exe
PID 532 wrote to memory of 1296	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	tmp63B3.tmp.exe
PID 532 wrote to memory of 1296	532	217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe	tmp63B3.tmp.exe

C:\Users\Admin\AppData\Local\Temp\217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe
"C:\Users\Admin\AppData\Local\Temp\217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxjcr3x0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66DF.tmp"
3⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\217fec3dfad9aec6d8aed3168dfaabfd275117e2fce08be8d362a0565ab9b4cc.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES66E0.tmp
Filesize
1KB

MD5
07bd830c11be3e07fabeb7dcad1e7309

SHA1
0b1787585a02c1ea6079b0601786f7be0f85c5b6

SHA256
31eb5972815ccd127b1085e94227c6a978ebe6e9d90a6c42490bdf887ab12688

SHA512
f4603ffe1224ffed088d5dd0780cdc13638cb510ab0db0180871479a59d883de60011894079a139bd092d3009cb931c0aafba88736c2ee87c445eb3f5bd2a110

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxjcr3x0.0.vb
Filesize
15KB

MD5
37fde8f9de90c94bfb3e8a01f841ac10

SHA1
2658ebfda04cb57256bf8801ef39e662fdae04a0

SHA256
c1fc1fa754b95b04deeee345ee1e66a926bcc7edb55510b5abf9898659386697

SHA512
6bcdf45c42b029fe7a4909be18dd13dd011fd4d0d013c5612cc82c720426494594b932238d29f315a6478857282322196cd8250ffb21538358482cd0fd621f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxjcr3x0.cmdline
Filesize
266B

MD5
9923d8e16d43d9a4a980c39141e2839c

SHA1
9578f344445d895d50fcc357d4f5c4b0e7167737

SHA256
2db0e87b1caf54fe0e76357645f112991fc53747e4aa97d1bf521418b762842c

SHA512
3ff385cbaac3af4c8ec6111afb8667c992364e178d0160200b99bf96645b7f533c1ffdab1c74e9d05592ae637e28ec9eff35e63f598ecfd4c3ad0fbadd45a456

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp.exe
Filesize
78KB

MD5
c4902828fbd2c13ce96ad7a31c9eea9c

SHA1
c4686777a73d9a2001d57172ed6f3633b80f79bb

SHA256
ec9aa7ad19a7f03bff6d556a34bd7f19629c5554d22c44bcd6428c3876b1165e

SHA512
4005c384c51c4fe7e77777cf6a831e3e4c691570b82b2a29f25061bc5f5e545c8e512727a23f4257342ed112b6fc49c7ec4ac5cdf59a67de88b4f8f5fc2155c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp.exe
Filesize
78KB

MD5
c4902828fbd2c13ce96ad7a31c9eea9c

SHA1
c4686777a73d9a2001d57172ed6f3633b80f79bb

SHA256
ec9aa7ad19a7f03bff6d556a34bd7f19629c5554d22c44bcd6428c3876b1165e

SHA512
4005c384c51c4fe7e77777cf6a831e3e4c691570b82b2a29f25061bc5f5e545c8e512727a23f4257342ed112b6fc49c7ec4ac5cdf59a67de88b4f8f5fc2155c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc66DF.tmp
Filesize
660B

MD5
d2912af2bfb2f96242feb2003a06964b

SHA1
b936e9dfeef9812298cd94ef477a947a2e1226f3

SHA256
2355a3557a4887cd6016d638b5e2440f48dd3e3de9ad23f55943442914ee829a

SHA512
7dce86ee4d8521d02829dc1d5ce9946fb7ce2eeb5dfff0b8353e5739e245234cc229461352af01912bbca4a27d73b64665b4f1862e26e8d3a1297e45126e8302

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp63B3.tmp.exe
Filesize
78KB

MD5
c4902828fbd2c13ce96ad7a31c9eea9c

SHA1
c4686777a73d9a2001d57172ed6f3633b80f79bb

SHA256
ec9aa7ad19a7f03bff6d556a34bd7f19629c5554d22c44bcd6428c3876b1165e

SHA512
4005c384c51c4fe7e77777cf6a831e3e4c691570b82b2a29f25061bc5f5e545c8e512727a23f4257342ed112b6fc49c7ec4ac5cdf59a67de88b4f8f5fc2155c0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp63B3.tmp.exe
Filesize
78KB

MD5
c4902828fbd2c13ce96ad7a31c9eea9c

SHA1
c4686777a73d9a2001d57172ed6f3633b80f79bb

SHA256
ec9aa7ad19a7f03bff6d556a34bd7f19629c5554d22c44bcd6428c3876b1165e

SHA512
4005c384c51c4fe7e77777cf6a831e3e4c691570b82b2a29f25061bc5f5e545c8e512727a23f4257342ed112b6fc49c7ec4ac5cdf59a67de88b4f8f5fc2155c0

Download Submit
memory/532-55-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/532-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/608-56-0x0000000000000000-mapping.dmp

Download
memory/1296-66-0x0000000000000000-mapping.dmp

Download
memory/1296-69-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-70-0x0000000000195000-0x00000000001A6000-memory.dmp

Filesize
68KB

Download
memory/1408-60-0x0000000000000000-mapping.dmp

Download