metamorpherrat | 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed

Analysis

max time kernel
204s
max time network
211s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-05-2022 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Size

78KB
MD5

01a27410a7f14cbe2069d62568a0df1c
SHA1

8e6badcd52ca775493b0c22bfb665af6a5fdc558
SHA256

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed
SHA512

58047d6b8162e7f5a635887151345df459b76b15f4da387b00c766c517ca05888189f22a183ce20ca60c11df3d353f0a1651bfb725491dbc4df29b6559f12486

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpDDB3.tmp.exe

pid process

1996 tmpDDB3.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpDDB3.tmp.exe

pid process

1996 tmpDDB3.tmp.exe

pid	process
1996	tmpDDB3.tmp.exe

pid	process
1996	tmpDDB3.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe

pid	process
1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpDDB3.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDDB3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exetmpDDB3.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Token: SeDebugPrivilege	1996	tmpDDB3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exevbc.exe

description	pid	process	target process
PID 1928 wrote to memory of 812	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 1928 wrote to memory of 812	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 1928 wrote to memory of 812	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 1928 wrote to memory of 812	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 812 wrote to memory of 1100	812	vbc.exe	cvtres.exe
PID 812 wrote to memory of 1100	812	vbc.exe	cvtres.exe
PID 812 wrote to memory of 1100	812	vbc.exe	cvtres.exe
PID 812 wrote to memory of 1100	812	vbc.exe	cvtres.exe
PID 1928 wrote to memory of 1996	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpDDB3.tmp.exe
PID 1928 wrote to memory of 1996	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpDDB3.tmp.exe
PID 1928 wrote to memory of 1996	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpDDB3.tmp.exe
PID 1928 wrote to memory of 1996	1928	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpDDB3.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
"C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wilynmgm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0BF.tmp"
3⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE0C0.tmp
Filesize
1KB

MD5
1bcdf926acfca4773a17aa781498ff20

SHA1
72b4b0d39edc49bee70e8cb91594544ce235e86c

SHA256
65d9d8836662b16f337048584dfa9934018008a0f99d3bd216db4060155ec7aa

SHA512
82b2dc215e4cf7784854dfb80f72f992e48f27ce6f2c813d2086a306d78c401a76ee17666d94efab5939f0681c11643278bfce841b7259ab1163c25539d5ce9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe
Filesize
78KB

MD5
eaf83340582ed00f20b993f4424c21f0

SHA1
6fb245290acb96538ae08e93ae950aa83ee08477

SHA256
aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143

SHA512
601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe
Filesize
78KB

MD5
eaf83340582ed00f20b993f4424c21f0

SHA1
6fb245290acb96538ae08e93ae950aa83ee08477

SHA256
aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143

SHA512
601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE0BF.tmp
Filesize
660B

MD5
f935a8e1a2b03df7fbe501f7c25b4e71

SHA1
8b235ff1f9d39fecff0f9c647e678c3196bd531e

SHA256
a6c79c2b0d5bf837b626eb30e38526905c33044c85d849e4850fbdbe57767271

SHA512
5165c8dd1076e8cb77a437f16152d0cd2e4287be4074a1665c2c4502bb63d411687d0ace8eed329b8226c381e562852eaf457970c7eae94548b68cd9f59190e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wilynmgm.0.vb
Filesize
14KB

MD5
7c235572602cf5619f122cc5ad1b82d2

SHA1
30068c85129735aee52370eaa764c03e6c9fcc9c

SHA256
93defb4bd4cff0241be380a67ac4c53b5415f2d407ccbb5cd089fb23391181ef

SHA512
9ffac2d9ef8ac1c5a6b4d1e413ffe44ab114799c0439d2dba2bd2a0ff7ee2b7967295a3ba9601329b0305d8e1ef70632102a288354b9699be8f474969eb11e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\wilynmgm.cmdline
Filesize
266B

MD5
d0d3d31c578996caaddebd8f414c6e1c

SHA1
d35b77c1b5ccfaf222d6059acbac228e7f2db064

SHA256
21bbd0cfc92e3dbb3f09ca860f795609a4538a7173687902210c06d56437fcf6

SHA512
2734a978b1c0211848b6977772acf0e739b0ce11b230bdc07226e168d7ad0d229d0af266a6c547f7944954754fbd4f5c00d413c549b397947df63c2e08bf12b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe
Filesize
78KB

MD5
eaf83340582ed00f20b993f4424c21f0

SHA1
6fb245290acb96538ae08e93ae950aa83ee08477

SHA256
aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143

SHA512
601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4

Download Submit
\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe
Filesize
78KB

MD5
eaf83340582ed00f20b993f4424c21f0

SHA1
6fb245290acb96538ae08e93ae950aa83ee08477

SHA256
aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143

SHA512
601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4

Download Submit
memory/812-55-0x0000000000000000-mapping.dmp

Download
memory/1100-60-0x0000000000000000-mapping.dmp

Download
memory/1928-57-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-54-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1996-66-0x0000000000000000-mapping.dmp

Download
memory/1996-69-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-70-0x0000000000A65000-0x0000000000A76000-memory.dmp

Filesize
68KB

Download