metamorpherrat | ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48

Analysis

max time kernel
152s
max time network
195s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
Size

78KB
MD5

06af9b765f0971d34da6cee01bb0dfd3
SHA1

d418e6d883263be3253b8e7884b3481ee9e362ba
SHA256

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48
SHA512

3d20ef5897663c30fc0669fc0f1498d9b7f9fee5a1ab002022a03140e9075797eb8c4108777f22888d44004dc914601a71066592ae9b1a3c52b03bab0959f285

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpA851.tmp.exe

pid process

1272 tmpA851.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpA851.tmp.exe

pid process

1272 tmpA851.tmp.exe

pid	process
1272	tmpA851.tmp.exe

pid	process
1272	tmpA851.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe

pid	process
916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpA851.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA851.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exetmpA851.tmp.exe

description	pid	process
Token: SeDebugPrivilege	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
Token: SeDebugPrivilege	1272	tmpA851.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exevbc.exe

description	pid	process	target process
PID 916 wrote to memory of 1516	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 916 wrote to memory of 1516	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 916 wrote to memory of 1516	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 916 wrote to memory of 1516	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 1516 wrote to memory of 1400	1516	vbc.exe	cvtres.exe
PID 1516 wrote to memory of 1400	1516	vbc.exe	cvtres.exe
PID 1516 wrote to memory of 1400	1516	vbc.exe	cvtres.exe
PID 1516 wrote to memory of 1400	1516	vbc.exe	cvtres.exe
PID 916 wrote to memory of 1272	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpA851.tmp.exe
PID 916 wrote to memory of 1272	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpA851.tmp.exe
PID 916 wrote to memory of 1272	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpA851.tmp.exe
PID 916 wrote to memory of 1272	916	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpA851.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
"C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9oaop9ia.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB5D.tmp"
3⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\tmpA851.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA851.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9oaop9ia.0.vb
Filesize
14KB

MD5
13c3e2324c17610326311fcd48fc3feb

SHA1
27c6fdc93c56a8fee9cf6236441228fc6d87af71

SHA256
09a09e387033433116c4aa32608a6be104e9e631eb85b737ca18ee26844812de

SHA512
bdb13e3778f914bc157180524fddfbc984fe2290fc8160e5ba8ad2a285e0846b71aa0c273eb1bb1167e219d7acc528253808c43031e59b4a9bd3ead22080bde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9oaop9ia.cmdline
Filesize
266B

MD5
72dd27c4c50111a1f9ddd1669a5c0167

SHA1
191e7d5d59ffe0a46c856b712f6f51b9b3465f17

SHA256
e1d1618a12d36b7245b753045b9cfd39d5d34e8f99e358a11a3cbebbf2fed0eb

SHA512
561e8c21edf0c1baa3e56f9dbddafb11ddc44bed9c5381f2b83321cd63dba69c5efc2f9558d56d5c9f9b305e36071a8f226c3b270e2ee0cd7f4b83914bf11340

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB7D.tmp
Filesize
1KB

MD5
8e7790bd9d78370d91261550a7b90023

SHA1
4e0d2bd63abb65ba3587174d7143ac7887983054

SHA256
c2245222e53146751776c84f363d10debe3f83a459b9c0fc95a8b904390f2066

SHA512
5150ef85446c45a8925325e0157e75871da40c849d2f72e3c935e50f0203a9e061c2e8d44d2705392c9b362b4efb77ebc454f8491e24a66defc730c7fc628a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA851.tmp.exe
Filesize
78KB

MD5
c8a1b0ee30154d010c8810a6f5f85241

SHA1
86ef3626c9f609331836335b160ce190a0f52927

SHA256
13f295b2c77190a5cd42aeafd3c8e00c96c9bcb1a027ba519ee3ff9174c52563

SHA512
ae7d62f50f40b16ddd8807124bae6e14913b725199e68786937ff919ef6f84ed7031af6e2d68aecb9fa51ed28529358312f265215b6fca24120786d068094a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA851.tmp.exe
Filesize
78KB

MD5
c8a1b0ee30154d010c8810a6f5f85241

SHA1
86ef3626c9f609331836335b160ce190a0f52927

SHA256
13f295b2c77190a5cd42aeafd3c8e00c96c9bcb1a027ba519ee3ff9174c52563

SHA512
ae7d62f50f40b16ddd8807124bae6e14913b725199e68786937ff919ef6f84ed7031af6e2d68aecb9fa51ed28529358312f265215b6fca24120786d068094a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB5D.tmp
Filesize
660B

MD5
0d610b12884e9502d7258fe70098b910

SHA1
254c956d9ee616e58974260f1ea395a41e8a43af

SHA256
9d520930df125c0b1914e53d1815a97cca8c7401523b2c25bc7faaab0ddfee55

SHA512
896e6ee813990111c618de8071e8c918bc438e3ca36e21626b43ad5eef7204596aefc5ab4af010187b7aec0496b42a3b76919e3be1a7038ba885d5b755b00261

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA851.tmp.exe
Filesize
78KB

MD5
c8a1b0ee30154d010c8810a6f5f85241

SHA1
86ef3626c9f609331836335b160ce190a0f52927

SHA256
13f295b2c77190a5cd42aeafd3c8e00c96c9bcb1a027ba519ee3ff9174c52563

SHA512
ae7d62f50f40b16ddd8807124bae6e14913b725199e68786937ff919ef6f84ed7031af6e2d68aecb9fa51ed28529358312f265215b6fca24120786d068094a6c

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA851.tmp.exe
Filesize
78KB

MD5
c8a1b0ee30154d010c8810a6f5f85241

SHA1
86ef3626c9f609331836335b160ce190a0f52927

SHA256
13f295b2c77190a5cd42aeafd3c8e00c96c9bcb1a027ba519ee3ff9174c52563

SHA512
ae7d62f50f40b16ddd8807124bae6e14913b725199e68786937ff919ef6f84ed7031af6e2d68aecb9fa51ed28529358312f265215b6fca24120786d068094a6c

Download Submit
memory/916-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/916-55-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/1272-66-0x0000000000000000-mapping.dmp

Download
memory/1272-69-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-70-0x0000000000C85000-0x0000000000C96000-memory.dmp

Filesize
68KB

Download
memory/1400-60-0x0000000000000000-mapping.dmp

Download
memory/1516-56-0x0000000000000000-mapping.dmp

Download