metamorpherrat | 04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1

Analysis

max time kernel
161s
max time network
181s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
Size

78KB
MD5

018d10259ffaff7a1e3a1bf59ddf2f94
SHA1

13b8899a70738b5d5034ba31bb4ef0e751846342
SHA256

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1
SHA512

613633cd547daa4e94660093fa285fe03e574bcad2ec0a8a2c71974d8d7fcc8b1ae4e95ac808855f15e973c4556e1f780862f00db9bd154e651a08b17012a3fb

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp896C.tmp.exe

pid process

1756 tmp896C.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp896C.tmp.exe

pid process

1756 tmp896C.tmp.exe

pid	process
1756	tmp896C.tmp.exe

pid	process
1756	tmp896C.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe

pid	process
916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp896C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp896C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exetmp896C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
Token: SeDebugPrivilege	1756	tmp896C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exevbc.exe

description	pid	process	target process
PID 916 wrote to memory of 960	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe
PID 916 wrote to memory of 960	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe
PID 916 wrote to memory of 960	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe
PID 916 wrote to memory of 960	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe
PID 960 wrote to memory of 1148	960	vbc.exe	cvtres.exe
PID 960 wrote to memory of 1148	960	vbc.exe	cvtres.exe
PID 960 wrote to memory of 1148	960	vbc.exe	cvtres.exe
PID 960 wrote to memory of 1148	960	vbc.exe	cvtres.exe
PID 916 wrote to memory of 1756	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	tmp896C.tmp.exe
PID 916 wrote to memory of 1756	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	tmp896C.tmp.exe
PID 916 wrote to memory of 1756	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	tmp896C.tmp.exe
PID 916 wrote to memory of 1756	916	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	tmp896C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
"C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zv2zv86a.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B21.tmp"
3⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B22.tmp
Filesize
1KB

MD5
4007112fee78ac8f29f10705114ac990

SHA1
5325eddf3ea9c7ff867d60f3199598bfa04d06f0

SHA256
a7f787c236a5dfbae2836432d3a8df75fd09e8a912cd6bd8ab08fcf8b322c2cd

SHA512
68d29b41b70f1c0264352d72adb6032ef9fb11e0ac43b918ab56e604e517d2f9bfb8be6ad9f2720ce3f7fe0673afaa596f6b8356a2273c7621e1ebc64cfda705

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
Filesize
78KB

MD5
f980420126d488525aefab98d09785a4

SHA1
142d7259333af99fd9fefc8791066ee9f343a28d

SHA256
9a13cd0dafb5fdc7544c4a3565a5720c96c6bfb2b4c1ac9f5cdcaa4666e01112

SHA512
8de9bfb06658f55ae115d40a23f28c986c9b6b3bbcfafa037a93efd5f84086251ffdf5356de666b8f27bfc4e75d5fbe09df3d1b5bd6a884561845d77414b5f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
Filesize
78KB

MD5
f980420126d488525aefab98d09785a4

SHA1
142d7259333af99fd9fefc8791066ee9f343a28d

SHA256
9a13cd0dafb5fdc7544c4a3565a5720c96c6bfb2b4c1ac9f5cdcaa4666e01112

SHA512
8de9bfb06658f55ae115d40a23f28c986c9b6b3bbcfafa037a93efd5f84086251ffdf5356de666b8f27bfc4e75d5fbe09df3d1b5bd6a884561845d77414b5f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8B21.tmp
Filesize
660B

MD5
f4800f8e9aff4ef677cc1b0000906f53

SHA1
8464ce7e78682538508d77dc85863008f5468830

SHA256
c88142979ef0748e987026e44453042f2194b85b9307107cdcbdb3ef0a648b0b

SHA512
c7dda4706e08dcc80672d59fa5b536e2a1b47cb0e68278664d0e17057a8b805e017ba77366f8a4e0a27aa6b71ab1f9c4cf70b171d09f742674be0abf5f7502cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\zv2zv86a.0.vb
Filesize
14KB

MD5
c19dba5cfea14b868832bc673fb3c6e3

SHA1
8739d6600074a7ed49cc5533c9d4fa8b918bcaf5

SHA256
20dcefd0d5c07e5703dff79a5ab80cb4643e273267cdb998483c85f028f55ce5

SHA512
e77d06a43911cd2f441c87f6578a52b8f08cd97f8b80790f46598c1bfd42c3a321350eed49cac9ef0e43c68094534f2f33fa6439f0ac77bd27a5e5293349729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zv2zv86a.cmdline
Filesize
266B

MD5
31b2b44efe2c6d0128c9a83841987ed5

SHA1
c48aa69439c69e5f06fd5e699fb91b5988586f9b

SHA256
f96100542a45522e915346efea01f79a52b7d60ad6882729f5b00510b5c25811

SHA512
4281d2315fa119a3bf3c7ac6ee68dbcd508caa98602d5d56702de59f4051ee376cbb76caa1b2b82eaf2ebcb2a437c32170fcbe5dfaec0a938fb3a5f4320db2c4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
Filesize
78KB

MD5
f980420126d488525aefab98d09785a4

SHA1
142d7259333af99fd9fefc8791066ee9f343a28d

SHA256
9a13cd0dafb5fdc7544c4a3565a5720c96c6bfb2b4c1ac9f5cdcaa4666e01112

SHA512
8de9bfb06658f55ae115d40a23f28c986c9b6b3bbcfafa037a93efd5f84086251ffdf5356de666b8f27bfc4e75d5fbe09df3d1b5bd6a884561845d77414b5f41

Download Submit
\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
Filesize
78KB

MD5
f980420126d488525aefab98d09785a4

SHA1
142d7259333af99fd9fefc8791066ee9f343a28d

SHA256
9a13cd0dafb5fdc7544c4a3565a5720c96c6bfb2b4c1ac9f5cdcaa4666e01112

SHA512
8de9bfb06658f55ae115d40a23f28c986c9b6b3bbcfafa037a93efd5f84086251ffdf5356de666b8f27bfc4e75d5fbe09df3d1b5bd6a884561845d77414b5f41

Download Submit
memory/916-63-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/916-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000000000-mapping.dmp

Download
memory/1148-59-0x0000000000000000-mapping.dmp

Download
memory/1756-66-0x0000000000000000-mapping.dmp

Download
memory/1756-69-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-70-0x00000000020E5000-0x00000000020F6000-memory.dmp

Filesize
68KB

Download