metamorpherrat | ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c

Analysis

max time kernel
151s
max time network
192s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe
Size

78KB
MD5

03dc3a78b445202a5051b9af86fd5a9b
SHA1

db5c9b54adc50ddf1bea9746dd5bc76ed040e91a
SHA256

ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c
SHA512

7a535ccea2208f46601ae6b2d494e7e39d9563656b67a8963616f0201d0e9095e017c0663372dbe4b164b9205e3aea106c0c0af6d722b745dca6890189fbb1a1

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp8306.tmp.exe

pid process

1884 tmp8306.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp8306.tmp.exe

pid process

1884 tmp8306.tmp.exe

pid	process
1884	tmp8306.tmp.exe

pid	process
1884	tmp8306.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe

pid	process
972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe
972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8306.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8306.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exetmp8306.tmp.exe

description	pid	process
Token: SeDebugPrivilege	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe
Token: SeDebugPrivilege	1884	tmp8306.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exevbc.exe

description	pid	process	target process
PID 972 wrote to memory of 1140	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	vbc.exe
PID 972 wrote to memory of 1140	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	vbc.exe
PID 972 wrote to memory of 1140	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	vbc.exe
PID 972 wrote to memory of 1140	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	vbc.exe
PID 1140 wrote to memory of 1176	1140	vbc.exe	cvtres.exe
PID 1140 wrote to memory of 1176	1140	vbc.exe	cvtres.exe
PID 1140 wrote to memory of 1176	1140	vbc.exe	cvtres.exe
PID 1140 wrote to memory of 1176	1140	vbc.exe	cvtres.exe
PID 972 wrote to memory of 1884	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	tmp8306.tmp.exe
PID 972 wrote to memory of 1884	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	tmp8306.tmp.exe
PID 972 wrote to memory of 1884	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	tmp8306.tmp.exe
PID 972 wrote to memory of 1884	972	ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe	tmp8306.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe
"C:\Users\Admin\AppData\Local\Temp\ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbfiicb1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES167F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc167E.tmp"
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab7a6153f85d6b99b95cdc3997c6d3a75a7ae8f55d391d7d045d779a7a78201c.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES167F.tmp
Filesize
1KB

MD5
c66b26e7588c890d9f7d9ea77a4ed860

SHA1
b339987c10ed180f197ec790e39b95dfcc5885bc

SHA256
e8416ce51b254195a1c5a0ce521aea2a3db2e4a3569d40ad3212db29eaf0182f

SHA512
4f114b58535e6e8913bd0e67ca905c04f027f38ec6f5d0fbc5c92845e78487aba64a6f73f8ef8a8bfa6017f153db4da5df6f77f565d9c12d62f5ba38e897e503

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbfiicb1.0.vb
Filesize
15KB

MD5
7008cdd3af8706e9e17f51c470d7f6b3

SHA1
1f74f0e2ed10fdcbde561bae435774fd2f939c89

SHA256
bd3c4244fcafc5d869ec14d60bf1422440c1dad362f808ff4fbc3a1b4b23501a

SHA512
32b4acff6c180aa58c053b5111167b0d34379e5238f72525f4148d772dfb089e98cd06fc76a2f2c6e9bf0b13f6b9c3669cd74bd38f3cb2c76be1621e83e54fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbfiicb1.cmdline
Filesize
266B

MD5
f22c65017fe6d6f0b6dadd9e0ac79f17

SHA1
81979aa76af72cc042231790faa6e4aff47fd2ee

SHA256
b7a78eea28a3d63ea6adc05a6116c89b462aa52c8fcdbd22f84d8ce239d79577

SHA512
742345ac736ce8fe076aeb18b373131d6240e9587191aade0d8566425822f460830af94af5ba0f7cf96dde7c04cc3d4a8fe6989cadeb0c326736cff4d6cfe664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe
Filesize
78KB

MD5
d361a94d00d5fecdd68d4f63eb4d3f90

SHA1
e839d66f8e14f6d1260cb630b1922464fd7ae941

SHA256
f2c7bd8c4073585dd2a7085cd65572942915177b99613d3c96c0e0cff55e59a0

SHA512
9d51ac732a2267a1e899f114043003bf98471cae8bc770ed7b2ed57c16afd5f373d4ff58450b0a85d39503679c73dc441c74af13007d9e603c6c8a93f8669bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe
Filesize
78KB

MD5
d361a94d00d5fecdd68d4f63eb4d3f90

SHA1
e839d66f8e14f6d1260cb630b1922464fd7ae941

SHA256
f2c7bd8c4073585dd2a7085cd65572942915177b99613d3c96c0e0cff55e59a0

SHA512
9d51ac732a2267a1e899f114043003bf98471cae8bc770ed7b2ed57c16afd5f373d4ff58450b0a85d39503679c73dc441c74af13007d9e603c6c8a93f8669bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc167E.tmp
Filesize
660B

MD5
a9bd6fbc9c0667b8139fd94cd342b688

SHA1
93dc9ba1ad5360c166139a8032546e4903965541

SHA256
41223803e371137025af739d8a59684e2b2456d3e5fef1d7d3fd7d464ad854e9

SHA512
62e515df369b30a73d26753fe84f7eb413b6d4eb47b4bef730a7657010bb095d8979434753cd62d6900684affd969776fa9fd37654d5ad515011329ac5273733

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe
Filesize
78KB

MD5
d361a94d00d5fecdd68d4f63eb4d3f90

SHA1
e839d66f8e14f6d1260cb630b1922464fd7ae941

SHA256
f2c7bd8c4073585dd2a7085cd65572942915177b99613d3c96c0e0cff55e59a0

SHA512
9d51ac732a2267a1e899f114043003bf98471cae8bc770ed7b2ed57c16afd5f373d4ff58450b0a85d39503679c73dc441c74af13007d9e603c6c8a93f8669bf9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe
Filesize
78KB

MD5
d361a94d00d5fecdd68d4f63eb4d3f90

SHA1
e839d66f8e14f6d1260cb630b1922464fd7ae941

SHA256
f2c7bd8c4073585dd2a7085cd65572942915177b99613d3c96c0e0cff55e59a0

SHA512
9d51ac732a2267a1e899f114043003bf98471cae8bc770ed7b2ed57c16afd5f373d4ff58450b0a85d39503679c73dc441c74af13007d9e603c6c8a93f8669bf9

Download Submit
memory/972-55-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/972-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1140-56-0x0000000000000000-mapping.dmp

Download
memory/1176-60-0x0000000000000000-mapping.dmp

Download
memory/1884-66-0x0000000000000000-mapping.dmp

Download
memory/1884-69-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-70-0x0000000001ED5000-0x0000000001EE6000-memory.dmp

Filesize
68KB

Download