metamorpherrat | 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3

Analysis

max time kernel
194s
max time network
211s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
Size

78KB
MD5

03e7554116590a34c071d2c7954df17d
SHA1

d4b801e0f7427bf55e2440b59139cb4365a54e62
SHA256

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3
SHA512

148aa862f433bfc3f006e596a7d273546d389a9740a738a0abf11d152b0437fb1ed474854ac1904e740c7441670f170235b8f00eabd7ee57bf688c47fb963c40

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp7714.tmp.exe

pid process

1988 tmp7714.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp7714.tmp.exe

pid process

1988 tmp7714.tmp.exe

pid	process
1988	tmp7714.tmp.exe

pid	process
1988	tmp7714.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe

pid	process
1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7714.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7714.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exetmp7714.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
Token: SeDebugPrivilege	1988	tmp7714.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exevbc.exe

description	pid	process	target process
PID 1072 wrote to memory of 1656	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 1072 wrote to memory of 1656	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 1072 wrote to memory of 1656	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 1072 wrote to memory of 1656	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 1656 wrote to memory of 856	1656	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 856	1656	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 856	1656	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 856	1656	vbc.exe	cvtres.exe
PID 1072 wrote to memory of 1988	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp7714.tmp.exe
PID 1072 wrote to memory of 1988	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp7714.tmp.exe
PID 1072 wrote to memory of 1988	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp7714.tmp.exe
PID 1072 wrote to memory of 1988	1072	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp7714.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
"C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pravmhac.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES788C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc788B.tmp"
3⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\tmp7714.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7714.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES788C.tmp
Filesize
1KB

MD5
321f38d0e0a8e1100cbf0eeae50ebec5

SHA1
d9d9a8af122e254b9eaddfc672edc154fb0b9fb5

SHA256
c9e7dd733ccec60fa39682b17b24724d91751abeec0f49f0f5c5b662051946f9

SHA512
08f7b800f1d6219c96702748bbf8ef5a1fbda5550c8c786c329df40e25802c9a90aaf56efa574e6c725ef2e55260c348d3450caede216a401203ae98c923be21

Download Submit
C:\Users\Admin\AppData\Local\Temp\pravmhac.0.vb
Filesize
14KB

MD5
404ebbaf2f8af8ab8d838629a84f6016

SHA1
dc5c3061692f7c17d8c27e3337c1b07d2114d70e

SHA256
3053b8301d487822724ce7649123b78626ffdff3bb5652df274d0c9f3a9d79dc

SHA512
b384ca4e8ccd3200433ff669873542ecfa672879d1c3343320415a55514e7ad0b6b5c936b81dd15ccf58bfdb5b9482d8c60f8dc42dea6b7c64323127ed1e9d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\pravmhac.cmdline
Filesize
266B

MD5
29714a8799d1dc11316b0ae89026bd4a

SHA1
7553809a71be44d8724915505f7269abfb60c267

SHA256
bb422451792e3deb6cc687e7e3a5180fdc8b42b546103eca1fcbf96bc4df770b

SHA512
a9fa27d45fa255b7a7ef87af306645503c0014d591925dcdb987681a644723e7eca949e9d3f65ed423654626b3ecd236279db167b72c8a28fd23a13a564f57e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7714.tmp.exe
Filesize
78KB

MD5
3fb673395027f7ce7f3096ff644b203a

SHA1
2d303c3b8b547b58b0b4fcb9e3399baaf3c3497f

SHA256
b7a9050f3760494acb67a4e19f277c7acb2d1c4f08b8875e7a86fa97f1d98361

SHA512
db4e39ac918e768b6ab0bb9689cb98a3a4f0c5d258991bac45d3874901ddbc8f5a04d7986719e388d9d265516b074d1547a9c69be7f28b464d153142ede248b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7714.tmp.exe
Filesize
78KB

MD5
3fb673395027f7ce7f3096ff644b203a

SHA1
2d303c3b8b547b58b0b4fcb9e3399baaf3c3497f

SHA256
b7a9050f3760494acb67a4e19f277c7acb2d1c4f08b8875e7a86fa97f1d98361

SHA512
db4e39ac918e768b6ab0bb9689cb98a3a4f0c5d258991bac45d3874901ddbc8f5a04d7986719e388d9d265516b074d1547a9c69be7f28b464d153142ede248b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc788B.tmp
Filesize
660B

MD5
93a32f1948c1ef4c281382bb94bfafdd

SHA1
b70f13fd999b97ae5d8359a0d32ecb223bce6dbe

SHA256
fc254b028a1e416a5f546ddf5e69770ade99ba7522e213f2702a929fbc2ab97b

SHA512
4c8d15025fb2742c233e0f11daf279681f273e2fab5560d6db7f7b1f7cba10e0f647aef99dfe85b95590107153fb039732dbb5658397f87d7b32ebf77d50ca6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7714.tmp.exe
Filesize
78KB

MD5
3fb673395027f7ce7f3096ff644b203a

SHA1
2d303c3b8b547b58b0b4fcb9e3399baaf3c3497f

SHA256
b7a9050f3760494acb67a4e19f277c7acb2d1c4f08b8875e7a86fa97f1d98361

SHA512
db4e39ac918e768b6ab0bb9689cb98a3a4f0c5d258991bac45d3874901ddbc8f5a04d7986719e388d9d265516b074d1547a9c69be7f28b464d153142ede248b6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7714.tmp.exe
Filesize
78KB

MD5
3fb673395027f7ce7f3096ff644b203a

SHA1
2d303c3b8b547b58b0b4fcb9e3399baaf3c3497f

SHA256
b7a9050f3760494acb67a4e19f277c7acb2d1c4f08b8875e7a86fa97f1d98361

SHA512
db4e39ac918e768b6ab0bb9689cb98a3a4f0c5d258991bac45d3874901ddbc8f5a04d7986719e388d9d265516b074d1547a9c69be7f28b464d153142ede248b6

Download Submit
memory/856-60-0x0000000000000000-mapping.dmp

Download
memory/1072-55-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1656-56-0x0000000000000000-mapping.dmp

Download
memory/1988-66-0x0000000000000000-mapping.dmp

Download
memory/1988-69-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-70-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download