metamorpherrat | 27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0

Analysis

max time kernel
170s
max time network
235s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe
Size

78KB
MD5

1aeb21d793453e9d5fba2a09e7f5e876
SHA1

3b58628a5774b1d65c3cb366618239a36afbad0b
SHA256

27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0
SHA512

2d1bb35a7c05cc37170f20ea013aa9ae124e4fdeb8e62e5ca1baf032b3fa975312a981edd9a8ee211b28f21a3884dc123d00f9331901bba1f1f9949d837a6dac

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp3AFF.tmp.exe

pid process

2040 tmp3AFF.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp3AFF.tmp.exe

pid process

2040 tmp3AFF.tmp.exe

pid	process
2040	tmp3AFF.tmp.exe

pid	process
2040	tmp3AFF.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe

pid	process
1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe
1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp3AFF.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp3AFF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exetmp3AFF.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe
Token: SeDebugPrivilege	2040	tmp3AFF.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exevbc.exe

description	pid	process	target process
PID 1980 wrote to memory of 1108	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	vbc.exe
PID 1980 wrote to memory of 1108	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	vbc.exe
PID 1980 wrote to memory of 1108	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	vbc.exe
PID 1980 wrote to memory of 1108	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	vbc.exe
PID 1108 wrote to memory of 2036	1108	vbc.exe	cvtres.exe
PID 1108 wrote to memory of 2036	1108	vbc.exe	cvtres.exe
PID 1108 wrote to memory of 2036	1108	vbc.exe	cvtres.exe
PID 1108 wrote to memory of 2036	1108	vbc.exe	cvtres.exe
PID 1980 wrote to memory of 2040	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	tmp3AFF.tmp.exe
PID 1980 wrote to memory of 2040	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	tmp3AFF.tmp.exe
PID 1980 wrote to memory of 2040	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	tmp3AFF.tmp.exe
PID 1980 wrote to memory of 2040	1980	27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe	tmp3AFF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe
"C:\Users\Admin\AppData\Local\Temp\27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eyddvxbz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C27.tmp"
3⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp3AFF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3AFF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\27ad04d67537103691c32c8ea26ce4b8e372e259319dff38c8f2ee1659675cd0.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3C28.tmp
Filesize
1KB

MD5
0e281ff533062bbec66fc7aa8f6e7008

SHA1
7ea2ed64b8923617da4c0505e7afe1ef06da61f8

SHA256
dfe7cf394a828f867c8e7a9507f90cc7d627f0323f76405fddbfd53fa0e0b7ae

SHA512
2cb65f993097e4214112dd28364abf53363ca08e6a4a825b2b36cbba91da3c73dcaf4d11d474277f15cb1f9f96761962db5c2eaddfe2a52ad64f4173bdece47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyddvxbz.0.vb
Filesize
14KB

MD5
035b39f10a732eb715a107f9930b51dc

SHA1
603430c6f523479d7614b6c1cb6322c8ef4ba344

SHA256
4b8b8d7fdbb16502d66355f192948695d0fdd1dea7cbb655e2e4cb0ba15ca045

SHA512
00a6451c4342a0a6e59e3c99aeecbe8292817500630707607b98c55dfe502a9ed684992ae45a5f713d6f4c2d435de6595b0f58fd15396568fbab6a48d8506c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyddvxbz.cmdline
Filesize
266B

MD5
cc2c1828fa1b550ccbdca9c2d3b2ad1e

SHA1
b5d1820bcc0fe6a31cc55c4821aec79d7f5ca065

SHA256
bc9443704e98918f7c9e2a989ce42a1f26f5305e92b9f993b827690416aa6186

SHA512
5a46af943b53c06af8fdb47bbc63201bdf21fb7eaf7c8002aa15ed4a7b86ef34f604464001410776d6290b2db4ead6e55b4f8a54138d50c992d1dec55e4d2bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AFF.tmp.exe
Filesize
78KB

MD5
e531aa0f814b890e8264f82cc6edf96c

SHA1
181844ba59b7cd3b89ca9b8d8a67544072923a2e

SHA256
3efec74a7b462019232d51283a1763044987c415ea396343a33797eda57ffdcb

SHA512
c57e82a47f990a38d39f592702f7c696356c3b319b7cbfdba4bcc39ebdc49ca3853f8239da10c80dfa656043ec938d2eb345d05d88f2fd994811d57ed0016299

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AFF.tmp.exe
Filesize
78KB

MD5
e531aa0f814b890e8264f82cc6edf96c

SHA1
181844ba59b7cd3b89ca9b8d8a67544072923a2e

SHA256
3efec74a7b462019232d51283a1763044987c415ea396343a33797eda57ffdcb

SHA512
c57e82a47f990a38d39f592702f7c696356c3b319b7cbfdba4bcc39ebdc49ca3853f8239da10c80dfa656043ec938d2eb345d05d88f2fd994811d57ed0016299

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C27.tmp
Filesize
660B

MD5
abec9c1344afb3453dd13031c723f90f

SHA1
387e782a48b2e49786155e7ef5ba55623b891873

SHA256
a342d83ba8df54e482aa906976a023a6edcc75ac2df55fb5f8e7a38897ac7494

SHA512
39784cf9e67a2fc5fed5059ecd0292bb5837e79728d14f29954a653e0cf21c7f68c06581caef75f1b32cad27b6769f34b7978b39d9100d974b8b77892ddc03bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3AFF.tmp.exe
Filesize
78KB

MD5
e531aa0f814b890e8264f82cc6edf96c

SHA1
181844ba59b7cd3b89ca9b8d8a67544072923a2e

SHA256
3efec74a7b462019232d51283a1763044987c415ea396343a33797eda57ffdcb

SHA512
c57e82a47f990a38d39f592702f7c696356c3b319b7cbfdba4bcc39ebdc49ca3853f8239da10c80dfa656043ec938d2eb345d05d88f2fd994811d57ed0016299

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3AFF.tmp.exe
Filesize
78KB

MD5
e531aa0f814b890e8264f82cc6edf96c

SHA1
181844ba59b7cd3b89ca9b8d8a67544072923a2e

SHA256
3efec74a7b462019232d51283a1763044987c415ea396343a33797eda57ffdcb

SHA512
c57e82a47f990a38d39f592702f7c696356c3b319b7cbfdba4bcc39ebdc49ca3853f8239da10c80dfa656043ec938d2eb345d05d88f2fd994811d57ed0016299

Download Submit
memory/1108-55-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1980-68-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download
memory/2040-65-0x0000000000000000-mapping.dmp

Download
memory/2040-69-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-70-0x0000000000B65000-0x0000000000B76000-memory.dmp

Filesize
68KB

Download