metamorpherrat | 1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32

Analysis

max time kernel
174s
max time network
207s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe
Size

78KB
MD5

00ab2265b8b31c56c729ffe63191fac4
SHA1

c59c2138c9e098edc515340c2a84e2ef0973c332
SHA256

1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32
SHA512

e91ec018a5f4424bec6da75b19a3527764ae96e3106b06e9167e5a0a5dd55fd15c20bb03d1e48241c66f18f018248c04f1a74011873aeee656a5b500bdb0c4bf

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpD818.tmp.exe

pid process

1976 tmpD818.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpD818.tmp.exe

pid process

1976 tmpD818.tmp.exe

pid	process
1976	tmpD818.tmp.exe

pid	process
1976	tmpD818.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe

pid	process
1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe
1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpD818.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD818.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exetmpD818.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe
Token: SeDebugPrivilege	1976	tmpD818.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exevbc.exe

description	pid	process	target process
PID 1100 wrote to memory of 1056	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	vbc.exe
PID 1100 wrote to memory of 1056	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	vbc.exe
PID 1100 wrote to memory of 1056	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	vbc.exe
PID 1100 wrote to memory of 1056	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	vbc.exe
PID 1056 wrote to memory of 2036	1056	vbc.exe	cvtres.exe
PID 1056 wrote to memory of 2036	1056	vbc.exe	cvtres.exe
PID 1056 wrote to memory of 2036	1056	vbc.exe	cvtres.exe
PID 1056 wrote to memory of 2036	1056	vbc.exe	cvtres.exe
PID 1100 wrote to memory of 1976	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	tmpD818.tmp.exe
PID 1100 wrote to memory of 1976	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	tmpD818.tmp.exe
PID 1100 wrote to memory of 1976	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	tmpD818.tmp.exe
PID 1100 wrote to memory of 1976	1100	1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe	tmpD818.tmp.exe

C:\Users\Admin\AppData\Local\Temp\1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe
"C:\Users\Admin\AppData\Local\Temp\1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qggrhcgz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD98F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD97E.tmp"
3⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmpD818.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD818.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e10e52c761853980cbd76a59d0f661600e857746173ad688202ba04f622cb32.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD98F.tmp
Filesize
1KB

MD5
2b8e8850c32659c680aee73fab3df86b

SHA1
7a48bd7e1fc3d9418c7082e10f9f549d34da999b

SHA256
5fa10eeb81773ddfd4bfd156f0ea6357289f1ecdbd377468ac0fac6e0a770a68

SHA512
668ea7e09028ea6d6a6ddf3df9cdd66fb45166f146f7b5d642afc84b9aa7ba3dd6405176212ad372b9a7827e7ef10b64702e58d6670b12d27cc2d20cbd1badc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qggrhcgz.0.vb
Filesize
14KB

MD5
380faa0958323f8ce4d7cfe778109f1f

SHA1
b377384fdfc178995d53ff79902669611f4ca02c

SHA256
8bd6ef637d7295859218d5720b804bd3c789c33c46253a134ba79049ff2b7f0b

SHA512
15d84ea4007fc59c7bce4a1edd191edf29f4f5cab8256a3dbbeb184d46c86068dbe15c6a16098953167f605164a314a8ee315b4cfef94193d5d08b08453be034

Download Submit
C:\Users\Admin\AppData\Local\Temp\qggrhcgz.cmdline
Filesize
266B

MD5
70020e345341bb34c8f896e94f6aa1a1

SHA1
6c2ecdd4bde2639bd84d3b56bfbe9dcad1f121e3

SHA256
6659640ee500169779837988400ec4c21a3e38537ed1cbbc8260e52ffea51e82

SHA512
3e15cb37fced3ff9b0c3377baba7193b77efb83677c6ee584cbf79dc9c645798c29bb7b989aed3c49262f90cce8582f36957e167333ba0d8ffb99098fd677b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD818.tmp.exe
Filesize
78KB

MD5
d4cd090d3044d33354c2e7d43349d652

SHA1
dfd02377794abbac7f6d392168e4556608e7e2db

SHA256
1ba19cc0f008c974ffb9b9b11e12db22073a75f179efbe8cab17c8a0c198222c

SHA512
fcfcfc4911f1860513ffb53a0eee12e5b39a3a290a87c5347f54db06f40b9025a0a872ec47a0d71cbddb0f0148d07cda6f6448266343d0066af80910b6b785ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD818.tmp.exe
Filesize
78KB

MD5
d4cd090d3044d33354c2e7d43349d652

SHA1
dfd02377794abbac7f6d392168e4556608e7e2db

SHA256
1ba19cc0f008c974ffb9b9b11e12db22073a75f179efbe8cab17c8a0c198222c

SHA512
fcfcfc4911f1860513ffb53a0eee12e5b39a3a290a87c5347f54db06f40b9025a0a872ec47a0d71cbddb0f0148d07cda6f6448266343d0066af80910b6b785ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD97E.tmp
Filesize
660B

MD5
2032adea4f7fdfe96ae0d02c536e7c18

SHA1
a8871ef2581f2f35e6656c27cd9dc2cdee92a7a6

SHA256
3d7cac1438e385a9a594e1a322ca053dfeeb119836f9ee17e536c18de49bb6db

SHA512
a9dc852ec2f485f933f09009aad07da540ec7fc624f121b23bdf519086fadf9535442c0a80e1c7f7e68a0809de8305e2a33a80b6753a69796eeae4763a2fe6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD818.tmp.exe
Filesize
78KB

MD5
d4cd090d3044d33354c2e7d43349d652

SHA1
dfd02377794abbac7f6d392168e4556608e7e2db

SHA256
1ba19cc0f008c974ffb9b9b11e12db22073a75f179efbe8cab17c8a0c198222c

SHA512
fcfcfc4911f1860513ffb53a0eee12e5b39a3a290a87c5347f54db06f40b9025a0a872ec47a0d71cbddb0f0148d07cda6f6448266343d0066af80910b6b785ba

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD818.tmp.exe
Filesize
78KB

MD5
d4cd090d3044d33354c2e7d43349d652

SHA1
dfd02377794abbac7f6d392168e4556608e7e2db

SHA256
1ba19cc0f008c974ffb9b9b11e12db22073a75f179efbe8cab17c8a0c198222c

SHA512
fcfcfc4911f1860513ffb53a0eee12e5b39a3a290a87c5347f54db06f40b9025a0a872ec47a0d71cbddb0f0148d07cda6f6448266343d0066af80910b6b785ba

Download Submit
memory/1056-55-0x0000000000000000-mapping.dmp

Download
memory/1100-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1100-63-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-66-0x0000000000000000-mapping.dmp

Download
memory/1976-69-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-70-0x0000000000DC5000-0x0000000000DD6000-memory.dmp

Filesize
68KB

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download