metamorpherrat | 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a

Analysis

max time kernel
191s
max time network
203s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
Size

78KB
MD5

047e2b220274efec3654b82f56552676
SHA1

3df7a72f37c4ad0b94ecfa4e83071cbcd6271235
SHA256

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a
SHA512

7d3b0897b4be725ede778dd16f682a6886773a9eddc1847dfbd5ef177a8a627bf9c0d00acf83d0367c44a702ba8587708fdcef41b72628a6c1df6569b98a1b07

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpBDB5.tmp.exe

pid process

976 tmpBDB5.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpBDB5.tmp.exe

pid process

976 tmpBDB5.tmp.exe

pid	process
976	tmpBDB5.tmp.exe

pid	process
976	tmpBDB5.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe

pid	process
1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpBDB5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpBDB5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exetmpBDB5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
Token: SeDebugPrivilege	976	tmpBDB5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exevbc.exe

description	pid	process	target process
PID 1840 wrote to memory of 588	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 1840 wrote to memory of 588	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 1840 wrote to memory of 588	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 1840 wrote to memory of 588	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 588 wrote to memory of 1652	588	vbc.exe	cvtres.exe
PID 588 wrote to memory of 1652	588	vbc.exe	cvtres.exe
PID 588 wrote to memory of 1652	588	vbc.exe	cvtres.exe
PID 588 wrote to memory of 1652	588	vbc.exe	cvtres.exe
PID 1840 wrote to memory of 976	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmpBDB5.tmp.exe
PID 1840 wrote to memory of 976	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmpBDB5.tmp.exe
PID 1840 wrote to memory of 976	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmpBDB5.tmp.exe
PID 1840 wrote to memory of 976	1840	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmpBDB5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
"C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sg2xsijr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC370.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC36F.tmp"
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmpBDB5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBDB5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC370.tmp
Filesize
1KB

MD5
5604f00fef80733500346aca89e0a27b

SHA1
3652e35077cc4cf7777f2106bd1a56bc653a59db

SHA256
a2a414a03a982a74ec245e1fc7d5e0b3fb567cc09d5e98b4e9bd134e7e840a98

SHA512
3d9a5d74aca736ede6e537afd4ae838b8297935a3f7e5e0e3eb085b56c8f956552e1b0d013b692602f5ce238e1951db55908e341027b52fc13aa4016852c71b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sg2xsijr.0.vb
Filesize
14KB

MD5
030dde91d4171d27d3bf6259ba37a9ad

SHA1
6ca546bf9593a24c52da8d8504413ecc80f6c871

SHA256
cf7696b2d656a7a0cf7171b90c7c7acfd0bd3aa2724d1c0b6fc7db448fa27d65

SHA512
4d1932852c56f4906ce6817bf7b0dd09ba6ca72cb69bf534575399738488df7987821ebadb62794fb4e066fa19c66cf33e65d2378cef37269416a901f7fb933e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sg2xsijr.cmdline
Filesize
266B

MD5
36a2d2ec1bef01107c3ca863637629c5

SHA1
b18aa4df85cbee1c26f9c0b5bcd269b9802ee5bd

SHA256
8ee0c792c845e33a9e36654deb572b965f5bc04be144d6a7b9f956a81c5cbc98

SHA512
f8a984c58b705f322b60e713c2dae11808467897253c2722a92b6254d102a13109897e9396df4fbb908fac720737784bd57e857df9cb8ef260b2c3357bc324ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDB5.tmp.exe
Filesize
78KB

MD5
8c51f17b344b29db9c7294c76bcf49e6

SHA1
2f24e7730b2d8ee33d758d395f7083af5b1ccf31

SHA256
e1720a61698fd4c41de3f50445f3572bce25eb5624190d010e34985ac53b8fcc

SHA512
19ad453a4a5e2d34a8909d6ff53f0eb13241150fb49482aa124f20f3c9a8e8d6c8ed8ff392bddd46104ff3ba070bab11f2f75c5afa6490b7f5403c8b50f37e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDB5.tmp.exe
Filesize
78KB

MD5
8c51f17b344b29db9c7294c76bcf49e6

SHA1
2f24e7730b2d8ee33d758d395f7083af5b1ccf31

SHA256
e1720a61698fd4c41de3f50445f3572bce25eb5624190d010e34985ac53b8fcc

SHA512
19ad453a4a5e2d34a8909d6ff53f0eb13241150fb49482aa124f20f3c9a8e8d6c8ed8ff392bddd46104ff3ba070bab11f2f75c5afa6490b7f5403c8b50f37e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC36F.tmp
Filesize
660B

MD5
9ad610f720cbccc46adebba25aef61db

SHA1
0581c67780fd7bf1e67c330c882f74ae00ca6c4f

SHA256
6743a46173a804a2fa1a1557a6635d09e4dbeff9c8d2948f31a830901340a9e2

SHA512
64c6754389733b44b0ab55938371c4b8ae7d041219fce826a66106c71e6ad3b18977f4770d2bd84e8c5c542cbe6502b8f302d6c2d2a55f13329479eabe2662e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBDB5.tmp.exe
Filesize
78KB

MD5
8c51f17b344b29db9c7294c76bcf49e6

SHA1
2f24e7730b2d8ee33d758d395f7083af5b1ccf31

SHA256
e1720a61698fd4c41de3f50445f3572bce25eb5624190d010e34985ac53b8fcc

SHA512
19ad453a4a5e2d34a8909d6ff53f0eb13241150fb49482aa124f20f3c9a8e8d6c8ed8ff392bddd46104ff3ba070bab11f2f75c5afa6490b7f5403c8b50f37e7a

Download Submit
\Users\Admin\AppData\Local\Temp\tmpBDB5.tmp.exe
Filesize
78KB

MD5
8c51f17b344b29db9c7294c76bcf49e6

SHA1
2f24e7730b2d8ee33d758d395f7083af5b1ccf31

SHA256
e1720a61698fd4c41de3f50445f3572bce25eb5624190d010e34985ac53b8fcc

SHA512
19ad453a4a5e2d34a8909d6ff53f0eb13241150fb49482aa124f20f3c9a8e8d6c8ed8ff392bddd46104ff3ba070bab11f2f75c5afa6490b7f5403c8b50f37e7a

Download Submit
memory/588-56-0x0000000000000000-mapping.dmp

Download
memory/976-66-0x0000000000000000-mapping.dmp

Download
memory/976-69-0x0000000073A00000-0x0000000073FAB000-memory.dmp

Filesize
5.7MB

Download
memory/976-70-0x0000000000245000-0x0000000000256000-memory.dmp

Filesize
68KB

Download
memory/1652-60-0x0000000000000000-mapping.dmp

Download
memory/1840-55-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download