metamorpherrat | eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049

Analysis

max time kernel
168s
max time network
235s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
Size

78KB
MD5

22925b7ae382e5821f8706641672eabf
SHA1

694980b0dfe105ff8fa89f6899605f83d6f05771
SHA256

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049
SHA512

c678ddd737f8b27df377eab594ce2d65d0ac026dcba3446fc51b1dd89a7df8066de96ca13cc5d1e595113380c94ba49662087a3bb313d106add1d5b9dc26f819

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp6A39.tmp.exe

pid process

1988 tmp6A39.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp6A39.tmp.exe

pid process

1988 tmp6A39.tmp.exe

pid	process
1988	tmp6A39.tmp.exe

pid	process
1988	tmp6A39.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe

pid	process
1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp6A39.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp6A39.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exetmp6A39.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
Token: SeDebugPrivilege	1988	tmp6A39.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exevbc.exe

description	pid	process	target process
PID 1764 wrote to memory of 1720	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 1764 wrote to memory of 1720	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 1764 wrote to memory of 1720	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 1764 wrote to memory of 1720	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 1720 wrote to memory of 2020	1720	vbc.exe	cvtres.exe
PID 1720 wrote to memory of 2020	1720	vbc.exe	cvtres.exe
PID 1720 wrote to memory of 2020	1720	vbc.exe	cvtres.exe
PID 1720 wrote to memory of 2020	1720	vbc.exe	cvtres.exe
PID 1764 wrote to memory of 1988	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmp6A39.tmp.exe
PID 1764 wrote to memory of 1988	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmp6A39.tmp.exe
PID 1764 wrote to memory of 1988	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmp6A39.tmp.exe
PID 1764 wrote to memory of 1988	1764	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmp6A39.tmp.exe

C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
"C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r7fpyhng.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CB8.tmp"
3⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp6A39.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6A39.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6CC9.tmp
Filesize
1KB

MD5
471b27fbf3e0695e29e08f2704969e45

SHA1
93e6634fa7a0d473745533aa5db50ced4429c9f7

SHA256
b3734b429f7bec1f3dadeeb1b1da820bdf3f25e5056efbcd8528f523486a88fc

SHA512
bc33d546670afc6ac0860c5e9f41bccea8428238e48015ffb724b0ffbea0671e652413851b287a0955ccc97f6e71fcd23fc69a3eb975f82a805c11cd86abb2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7fpyhng.0.vb
Filesize
15KB

MD5
a187e64fc8281ba7f3977b01195538ee

SHA1
759483b7bb841dbcf037a8f23904d53501dff255

SHA256
04cdaf85b8f47f03e85268224410e468be819a94bb5a38958c6cf6c30a930ed6

SHA512
6d4ff24d1581b9e59753383d1f611dd88c773b69105e6b86aed4def93eaccd190904356a513bc8d4c5212c83974403dd7b656ee986157ae3d49cf817a2837dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7fpyhng.cmdline
Filesize
266B

MD5
fe09655bb5211e0ebb816a697afd4525

SHA1
b1485b1e30cd56b39ae0d77f48c0a4e3087d8e75

SHA256
95356850e249e6ce085ec471d818d694d93f7cd2018795ede1a99fecbf45ab37

SHA512
946c4ee66c84f077026124bc0055b2201e84d92f3df1ded61bd95a3db608004e9bb9d76d89f37ceb40980ab2f0d3c35da937ec36d98048608c4ec4e89f44d809

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A39.tmp.exe
Filesize
78KB

MD5
52c66555cf22c463dfd802df621aaa3c

SHA1
42ef86486143542b56205f98bfe0d580fb016785

SHA256
cf75c38b19da6c4d44ab51a3bbdb0f29a8068759d40e491dc0a5c48ff0d3cb45

SHA512
d8d1cb8fe95e4a2592b160b00f9ed655e3470515af107f818aa3ce8e649e0968721a67265bfb25cfc12ef34983b9ba06905371e6fb5af8ee08650cca7bd94011

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A39.tmp.exe
Filesize
78KB

MD5
52c66555cf22c463dfd802df621aaa3c

SHA1
42ef86486143542b56205f98bfe0d580fb016785

SHA256
cf75c38b19da6c4d44ab51a3bbdb0f29a8068759d40e491dc0a5c48ff0d3cb45

SHA512
d8d1cb8fe95e4a2592b160b00f9ed655e3470515af107f818aa3ce8e649e0968721a67265bfb25cfc12ef34983b9ba06905371e6fb5af8ee08650cca7bd94011

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CB8.tmp
Filesize
660B

MD5
85d12ce551a84bfbfed2fb491ee6300f

SHA1
fdcc23c9ddae2363ba2c5d1dc44ae6580268806b

SHA256
ac671d513dd5c9fb84081e58ad18d573f8f4649d38b812506d34778b7b93f092

SHA512
b9f83be9090de867e6868304688e1199d8ee017960c236f9d1df22f33bc20c519076612f284fc9fcd6f0a778ed5e05eb7c1c0d58c5a3e45dbbc40cfb781c2347

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6A39.tmp.exe
Filesize
78KB

MD5
52c66555cf22c463dfd802df621aaa3c

SHA1
42ef86486143542b56205f98bfe0d580fb016785

SHA256
cf75c38b19da6c4d44ab51a3bbdb0f29a8068759d40e491dc0a5c48ff0d3cb45

SHA512
d8d1cb8fe95e4a2592b160b00f9ed655e3470515af107f818aa3ce8e649e0968721a67265bfb25cfc12ef34983b9ba06905371e6fb5af8ee08650cca7bd94011

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6A39.tmp.exe
Filesize
78KB

MD5
52c66555cf22c463dfd802df621aaa3c

SHA1
42ef86486143542b56205f98bfe0d580fb016785

SHA256
cf75c38b19da6c4d44ab51a3bbdb0f29a8068759d40e491dc0a5c48ff0d3cb45

SHA512
d8d1cb8fe95e4a2592b160b00f9ed655e3470515af107f818aa3ce8e649e0968721a67265bfb25cfc12ef34983b9ba06905371e6fb5af8ee08650cca7bd94011

Download Submit
memory/1720-56-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1764-55-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-66-0x0000000000000000-mapping.dmp

Download
memory/1988-69-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-70-0x00000000005F5000-0x0000000000606000-memory.dmp

Filesize
68KB

Download
memory/2020-60-0x0000000000000000-mapping.dmp

Download