metamorpherrat | cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695

Analysis

max time kernel
115s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-05-2022 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Size

78KB
MD5

03e747b5e88513e21319eeaa1126b81e
SHA1

b05e3fbf5b3711eba03abd4660ec94e1acc11a17
SHA256

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695
SHA512

d368b1800287d189a8ed49c420721d25eaf72e1b441281dd1881e4e7defdb2d602b277c3cb98dad04028e3ae6da94ff73b136e00616d3dd31eefeaae21c29732

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp85E3.tmp.exe

pid process

1756 tmp85E3.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp85E3.tmp.exe

pid process

1756 tmp85E3.tmp.exe

pid	process
1756	tmp85E3.tmp.exe

pid	process
1756	tmp85E3.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

pid	process
240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

description pid process

Token: SeDebugPrivilege 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

description	pid	process
Token: SeDebugPrivilege	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exevbc.exe

description	pid	process	target process
PID 240 wrote to memory of 1736	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 240 wrote to memory of 1736	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 240 wrote to memory of 1736	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 240 wrote to memory of 1736	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 1736 wrote to memory of 1320	1736	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 1320	1736	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 1320	1736	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 1320	1736	vbc.exe	cvtres.exe
PID 240 wrote to memory of 1756	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmp85E3.tmp.exe
PID 240 wrote to memory of 1756	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmp85E3.tmp.exe
PID 240 wrote to memory of 1756	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmp85E3.tmp.exe
PID 240 wrote to memory of 1756	240	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmp85E3.tmp.exe

C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
"C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bluccib0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAFC.tmp"
3⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:1756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEC35.tmp
Filesize
1KB

MD5
439518105666b35ad5d7333add0b2c3f

SHA1
b08356fdb084a43d685bd1e0d3f023350cf009a0

SHA256
ee81b8f833a96e70b3a8bc5db239be016ee336ce4c86ec83fd989420d0854c3e

SHA512
2073e47d8cb941e5ba1e89d2976262037ada1ec5ad6ff3654b7149eddd79edfab46a79ffc71d80db3ab463e7b61f4b962166f155706ad0a7af56e67b7124340f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bluccib0.0.vb
Filesize
15KB

MD5
1263ea86dc4913b273e9f6d205460cb5

SHA1
d1e39922b3a1983008153fa2d7af104dbcda326a

SHA256
71282e43f07034930b8157c80c08fb0b75dc7ce65ce533a1f1964f0177179ee7

SHA512
e4fd4bd8166fedb4816a0a604fd72ebb86564841867a92b02b1eb207bab9f218565e8ccae33471e747d195efcaef4c3980672397604ecb245fcffc389b34ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\bluccib0.cmdline
Filesize
266B

MD5
4fd0b1ce98e7923f1ad93bc95db4e28c

SHA1
7f4bacf2de30ed18e03447d24fd6d98d83999815

SHA256
9c3560ea977aba47f5db7defe8bdf1154e5f3ea09b69c6a20b3353ea4d2007bc

SHA512
a5b0e21e9ba1e61c68942dcdf3438544e8197b269d628b0a158bdc7e7c9ed6335b4294695f56f96c7f43a468376923212f23d563e858e789f7180b94a89659ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe
Filesize
78KB

MD5
9f2b228e84bcda1e423a28f08c7b509f

SHA1
469d70fd3a7a6a3edae806475d3c47dcc5849490

SHA256
7b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c

SHA512
2122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe
Filesize
78KB

MD5
9f2b228e84bcda1e423a28f08c7b509f

SHA1
469d70fd3a7a6a3edae806475d3c47dcc5849490

SHA256
7b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c

SHA512
2122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEAFC.tmp
Filesize
660B

MD5
053e93fd4bf05ad24e3a2abcf340af9f

SHA1
345898b4fc46fb6a5efcfed6894e59263ff800a2

SHA256
a0864347fc0d67f293545da94463ccd4378fa7227f6fded58b90f11d1f3ec246

SHA512
10b882d884f1d4a9047591d0445f82e299bbf99a061ecbd13375cd6b51ade159344dbf1ccbb8007d5c03d982f58aebfbc7a5787ad7bbbec4e561bae66ef5431a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe
Filesize
78KB

MD5
9f2b228e84bcda1e423a28f08c7b509f

SHA1
469d70fd3a7a6a3edae806475d3c47dcc5849490

SHA256
7b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c

SHA512
2122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303

Download Submit
\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe
Filesize
78KB

MD5
9f2b228e84bcda1e423a28f08c7b509f

SHA1
469d70fd3a7a6a3edae806475d3c47dcc5849490

SHA256
7b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c

SHA512
2122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303

Download Submit
memory/240-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1320-60-0x0000000000000000-mapping.dmp

Download
memory/1736-56-0x0000000000000000-mapping.dmp

Download
memory/1756-66-0x0000000000000000-mapping.dmp

Download
memory/1756-69-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download