metamorpherrat | 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409

Analysis

max time kernel
170s
max time network
197s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
Size

78KB
MD5

1297acfc90c669e3c9da7431e54215e5
SHA1

7a421d63c3b8de639d97d77f20034d218f7068ff
SHA256

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409
SHA512

7ec6a5044b147e14cc34d7c02262cbd343f4b8eefa77e9a4a37be3d499e2121001f2793ae608fade69947cc7ed3b47f5369462b98a7b79614268e260e3a11fd5

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpB904.tmp.exe

pid process

2024 tmpB904.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpB904.tmp.exe

pid process

2024 tmpB904.tmp.exe

pid	process
2024	tmpB904.tmp.exe

pid	process
2024	tmpB904.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe

pid	process
884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpB904.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB904.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exetmpB904.tmp.exe

description	pid	process
Token: SeDebugPrivilege	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
Token: SeDebugPrivilege	2024	tmpB904.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exevbc.exe

description	pid	process	target process
PID 884 wrote to memory of 1484	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 884 wrote to memory of 1484	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 884 wrote to memory of 1484	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 884 wrote to memory of 1484	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 1484 wrote to memory of 2016	1484	vbc.exe	cvtres.exe
PID 1484 wrote to memory of 2016	1484	vbc.exe	cvtres.exe
PID 1484 wrote to memory of 2016	1484	vbc.exe	cvtres.exe
PID 1484 wrote to memory of 2016	1484	vbc.exe	cvtres.exe
PID 884 wrote to memory of 2024	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmpB904.tmp.exe
PID 884 wrote to memory of 2024	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmpB904.tmp.exe
PID 884 wrote to memory of 2024	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmpB904.tmp.exe
PID 884 wrote to memory of 2024	884	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmpB904.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
"C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf0k7miw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAB8.tmp"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAB9.tmp
Filesize
1KB

MD5
135ed187c73eeeaec25b4fa23641e1d3

SHA1
fba8d5263f2281cf8dbeed145ffaebe4d65de556

SHA256
04bd63bc3178e1dd2308e67e3d55b4b1b6eb6584bc7d6e77538c1ae01d748e8a

SHA512
d03ad33f70904b951c211851cfdd815ea338cb2e9a5179359b70c6fac61688d3e627baa3306612ac50a7ecb63001e29e316f221f903e7b9c780c5401c06832a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp.exe
Filesize
78KB

MD5
d774d261ff7ae88ccea694c239ec58b7

SHA1
1901d4e24b62430a64d0400e1f1c02cea97e4f8e

SHA256
62a4ecd1135f29c62c6ad3dfabadce38c7f27ec1b4f19e66fe6909c817b72250

SHA512
c41af946cb3f8b58a5b78e65a28ab2fc769e654be2916d58428fbadae636e63ae0cb0a8d2d665ef3b550e4afb865479a5ba38bfd93ec4c8ccca2e688f6c46a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp.exe
Filesize
78KB

MD5
d774d261ff7ae88ccea694c239ec58b7

SHA1
1901d4e24b62430a64d0400e1f1c02cea97e4f8e

SHA256
62a4ecd1135f29c62c6ad3dfabadce38c7f27ec1b4f19e66fe6909c817b72250

SHA512
c41af946cb3f8b58a5b78e65a28ab2fc769e654be2916d58428fbadae636e63ae0cb0a8d2d665ef3b550e4afb865479a5ba38bfd93ec4c8ccca2e688f6c46a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAB8.tmp
Filesize
660B

MD5
2211c03c7544b8397f6b74c50b690eaf

SHA1
058cc7a9a63cd88a7f0d5868b687b634ce651d07

SHA256
ec365a08345f37dda3d5b17f169ee8b240a76b64f00d87381139444144da3b41

SHA512
e2443925f8c8f377e5825bab0c5560499ba0cd204ba077391685b878407df7e09d4bbf17bb399ece313fa74e9aa023b26b13582c0404d346bbf28ffb69dde2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf0k7miw.0.vb
Filesize
15KB

MD5
9300239d2efcd8a623708254524c66de

SHA1
13958ac65655eed78b54362f6547cdc585cc420b

SHA256
b569200b2498d49681ef43c0dc6841cb09dfc6608fd67a83c9e1ea526226b09a

SHA512
033f76b74e078c26868436c41dcf51aa8439041d9b0822a27c0065d89dc9d6fdfbca946e5d8416906d3524148f1e6aa5e687455bebdb0653e44e1ccee1720363

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf0k7miw.cmdline
Filesize
266B

MD5
7aeb8184384720062efd918c1ae2db3e

SHA1
6878f932421b55aa8dd9bd149f552fad335eb742

SHA256
012a65f95cda1720fe1529dc25f3eea39745f468072dda179c6fb294314bf8c8

SHA512
94692404976296144b967ff34e8849cfcfa7de677c5f7072a142ffc0cb263588352b196801e7c302574712c9474a2b790ebef1a609824befc5f3a27db6b6d6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB904.tmp.exe
Filesize
78KB

MD5
d774d261ff7ae88ccea694c239ec58b7

SHA1
1901d4e24b62430a64d0400e1f1c02cea97e4f8e

SHA256
62a4ecd1135f29c62c6ad3dfabadce38c7f27ec1b4f19e66fe6909c817b72250

SHA512
c41af946cb3f8b58a5b78e65a28ab2fc769e654be2916d58428fbadae636e63ae0cb0a8d2d665ef3b550e4afb865479a5ba38bfd93ec4c8ccca2e688f6c46a26

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB904.tmp.exe
Filesize
78KB

MD5
d774d261ff7ae88ccea694c239ec58b7

SHA1
1901d4e24b62430a64d0400e1f1c02cea97e4f8e

SHA256
62a4ecd1135f29c62c6ad3dfabadce38c7f27ec1b4f19e66fe6909c817b72250

SHA512
c41af946cb3f8b58a5b78e65a28ab2fc769e654be2916d58428fbadae636e63ae0cb0a8d2d665ef3b550e4afb865479a5ba38bfd93ec4c8ccca2e688f6c46a26

Download Submit
memory/884-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/884-68-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-55-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download
memory/2024-65-0x0000000000000000-mapping.dmp

Download
memory/2024-69-0x0000000073910000-0x0000000073EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-70-0x00000000004D5000-0x00000000004E6000-memory.dmp

Filesize
68KB

Download