metamorpherrat | 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a

General

Target

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
Size

78KB
MD5

047e2b220274efec3654b82f56552676
SHA1

3df7a72f37c4ad0b94ecfa4e83071cbcd6271235
SHA256

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a
SHA512

7d3b0897b4be725ede778dd16f682a6886773a9eddc1847dfbd5ef177a8a627bf9c0d00acf83d0367c44a702ba8587708fdcef41b72628a6c1df6569b98a1b07

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp99EE.tmp.exe

pid process

4508 tmp99EE.tmp.exe

pid	process
4508	tmp99EE.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp99EE.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp99EE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exetmp99EE.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
Token: SeDebugPrivilege	4508	tmp99EE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exevbc.exe

description	pid	process	target process
PID 1724 wrote to memory of 2752	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 1724 wrote to memory of 2752	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 1724 wrote to memory of 2752	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	vbc.exe
PID 2752 wrote to memory of 3780	2752	vbc.exe	cvtres.exe
PID 2752 wrote to memory of 3780	2752	vbc.exe	cvtres.exe
PID 2752 wrote to memory of 3780	2752	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 4508	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmp99EE.tmp.exe
PID 1724 wrote to memory of 4508	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmp99EE.tmp.exe
PID 1724 wrote to memory of 4508	1724	712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe	tmp99EE.tmp.exe

C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
"C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sxd_eqmz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BCEFF19871F4DDABB25A75D11B460E1.TMP"
3⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmp
Filesize
1KB

MD5
1cb89c1bec2a2f4a21b2e65fec57bd9c

SHA1
5042ec42e503727e1edf0025313eeba1964947d3

SHA256
fd6e06979e9b20f7fa5b6d96df6d5c789f652e7ac26c4452a0311aafc482a043

SHA512
ffb03ed574f63103160aaa41c14c14e91812f2ef1ed12701a346fe9665decf696116e163de43f1172e6303ed4fe98d75f7335f88fb5dfa10d3c9eb1d2aa59baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxd_eqmz.0.vb
Filesize
14KB

MD5
9be9dea38ca8aef887fe92306e1efeca

SHA1
7db4e1a640d70179c0e7bd03e8a454d7fa1c32d0

SHA256
565b2b174f622dc6bf335324ec4c0b948e3c0f7e1541732f7b995c3129abc844

SHA512
95da76ad6fd57ffc01767390b602bb13268c92ce626eecdca140812678141aa3eb6aed26e1df9e2ce3b9683e7c51cc36eff0c24c0acf9c8b73c5d09cda4ad1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxd_eqmz.cmdline
Filesize
266B

MD5
0f31cf36aa7999686faf52bae0e7c801

SHA1
64d9ceb0da7752c01e7a800aa561a376d6d5ea0d

SHA256
5d288791dd97ed76801ade029cf051f0b043f141993e596f87f43b1f05d29655

SHA512
202e3e90089fbd6877baeda2a4254932e0bcc9580a3008bbe890a5a15a5d2507a4343a9e108356693f2e8e77db42ffc127f0c308b024af0d7772da2cb4b6034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe
Filesize
78KB

MD5
d7a0b9c181436008892f2306c2040c16

SHA1
e64a55e52cf6f1f93f65cda59fac228ddb87db55

SHA256
41a53c618072c4798fa866ba35b760415cdfc9bb349c839db711feaa1a1056a1

SHA512
35b3f14239c42dfe794985b603ed2c3e746eeb8ec8884321b5937bc49fb009367ac1d64f935864070dba7943c4484278d576ac76d7095f2b804e1221863ac120

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe
Filesize
78KB

MD5
d7a0b9c181436008892f2306c2040c16

SHA1
e64a55e52cf6f1f93f65cda59fac228ddb87db55

SHA256
41a53c618072c4798fa866ba35b760415cdfc9bb349c839db711feaa1a1056a1

SHA512
35b3f14239c42dfe794985b603ed2c3e746eeb8ec8884321b5937bc49fb009367ac1d64f935864070dba7943c4484278d576ac76d7095f2b804e1221863ac120

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5BCEFF19871F4DDABB25A75D11B460E1.TMP
Filesize
660B

MD5
3f3d13797be8a3be66197ed3e6226ea8

SHA1
7c7792566bcfa6ce9d2b48e80ab009aff61ca305

SHA256
3282798fd6deef84eeddeb4a3f28b55fe885eade40c4b62d771d45fd629e4494

SHA512
b7a5e3857db3d064ea81f7aeca8f76445bf49d6d89f80e640b93107f85b94e4b9991a3a14ca72c9ff86ed1660c6bfbc1e63fcbbd5296d2f9a8bd7a19100a766d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1724-130-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/2752-131-0x0000000000000000-mapping.dmp

Download
memory/3780-135-0x0000000000000000-mapping.dmp

Download
memory/4508-139-0x0000000000000000-mapping.dmp

Download
memory/4508-141-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads