metamorpherrat | 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e

Analysis

max time kernel
1800s
max time network
1804s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-06-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
Size

78KB
MD5

b578bb6e52602f70bf2e7e46801a537d
SHA1

13f93888419a03e5a2572c2ceaa18ca335805359
SHA256

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e
SHA512

5aa66fce36f3c188c730e9cc18fab5e133061480b96f1f7e845353b9f6fc86466f39c0400aad7406f16ef5b60ae969d2fed252e74c09a9d94c911ba713b94caf

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp18B0.tmp.exe

pid process

992 tmp18B0.tmp.exe

pid	process
992	tmp18B0.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe

pid	process
1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp18B0.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp18B0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exetmp18B0.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
Token: SeDebugPrivilege	992	tmp18B0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exevbc.exe

description	pid	process	target process
PID 1528 wrote to memory of 1728	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 1528 wrote to memory of 1728	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 1528 wrote to memory of 1728	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 1528 wrote to memory of 1728	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 1728 wrote to memory of 1920	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 1920	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 1920	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 1920	1728	vbc.exe	cvtres.exe
PID 1528 wrote to memory of 992	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp18B0.tmp.exe
PID 1528 wrote to memory of 992	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp18B0.tmp.exe
PID 1528 wrote to memory of 992	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp18B0.tmp.exe
PID 1528 wrote to memory of 992	1528	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp18B0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
"C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1g6bbo5z.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19F7.tmp"
3⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\tmp18B0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp18B0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1g6bbo5z.0.vb
Filesize
14KB

MD5
e2f2e441db5d0c94c1d84cae7ec58e82

SHA1
b61a0b48b54ddf3ac35234ac5955e71536c8b089

SHA256
8be01876de5948e17ab74b3aaaf583ebac0dad8e1e26bb173057c49a4c1dcc00

SHA512
10264121ab4b050965bed416f1e3a31638cf1f4b2a9fc462aec98094439b928346d7f7d66d91b504909f4b5c0b6decb97bfe5f52333298f1bde65df4098fb2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1g6bbo5z.cmdline
Filesize
266B

MD5
edbeb7ab36cc663e8b384b985560befc

SHA1
198845bc416ddb2d160c3845ab0bd43ecba1a8b9

SHA256
8292a7d693d91a42aabb06278268aa8f778113e29d283119cc908fed62293d7e

SHA512
438f05dfe56e2efd0e163dd332682a051c3a435f1b854f94758d9c1c743419b6b36f3f1b602368ee4f4f66ad62af4a839ca9c3b56be2b81a92c32f99ff02f50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A08.tmp
Filesize
1KB

MD5
ab05d75699a383bf06ebdb1a9c7316af

SHA1
230c00c104a9a6ebe014cba3d4cc71ac284b63ad

SHA256
1c25d4cdb2f7a90f74b2789a3a955b30b47daeb6288a0d490614e336c3e80a1f

SHA512
bcda6e2e056655e72f3d8755557394850bab2fa260b166aeec9de03569a356d343f219d0d05db925f4002ed9f0e53bb60241bd5ff579405ea25145253475664f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18B0.tmp.exe
Filesize
78KB

MD5
be2d6daeefafe31512b7522b64ad3786

SHA1
466446d6e589be4daec0fcebf3a7a58fdc95efa3

SHA256
141f3b7b91cfe37ab1b1b1d953562be7a0daaa225b311caf3d23cd48b44f7d91

SHA512
51576d849d9f514589d599955b174d1c18629583027f5bfb2fbad8fce147e96306cb8aa1b0beed0ff6acfdcd64f9c39c8b6c8e8c924c2ffd1c4782becc9fa916

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18B0.tmp.exe
Filesize
78KB

MD5
be2d6daeefafe31512b7522b64ad3786

SHA1
466446d6e589be4daec0fcebf3a7a58fdc95efa3

SHA256
141f3b7b91cfe37ab1b1b1d953562be7a0daaa225b311caf3d23cd48b44f7d91

SHA512
51576d849d9f514589d599955b174d1c18629583027f5bfb2fbad8fce147e96306cb8aa1b0beed0ff6acfdcd64f9c39c8b6c8e8c924c2ffd1c4782becc9fa916

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc19F7.tmp
Filesize
660B

MD5
d9a0e33051eff6c2814b350fed48ec33

SHA1
d0e37aaabe220ecf5b5f3c25a14b44bb716de66c

SHA256
8c413cb0f2311f7a4101a742799a89b2854d0c0d53cc6154bc4a7baa72daa2c3

SHA512
72fa72572c5efa4dea5739260d49cd7dff663de8b43f9a15a3cd445a7d226f4a64b23b9807bbc973b94688ba0aaf5b10546ff9a5fe81a8481d68c17b10085ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp18B0.tmp.exe
Filesize
78KB

MD5
be2d6daeefafe31512b7522b64ad3786

SHA1
466446d6e589be4daec0fcebf3a7a58fdc95efa3

SHA256
141f3b7b91cfe37ab1b1b1d953562be7a0daaa225b311caf3d23cd48b44f7d91

SHA512
51576d849d9f514589d599955b174d1c18629583027f5bfb2fbad8fce147e96306cb8aa1b0beed0ff6acfdcd64f9c39c8b6c8e8c924c2ffd1c4782becc9fa916

Download Submit
\Users\Admin\AppData\Local\Temp\tmp18B0.tmp.exe
Filesize
78KB

MD5
be2d6daeefafe31512b7522b64ad3786

SHA1
466446d6e589be4daec0fcebf3a7a58fdc95efa3

SHA256
141f3b7b91cfe37ab1b1b1d953562be7a0daaa225b311caf3d23cd48b44f7d91

SHA512
51576d849d9f514589d599955b174d1c18629583027f5bfb2fbad8fce147e96306cb8aa1b0beed0ff6acfdcd64f9c39c8b6c8e8c924c2ffd1c4782becc9fa916

Download Submit
memory/992-65-0x0000000000000000-mapping.dmp

Download
memory/992-69-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/992-70-0x00000000002D5000-0x00000000002E6000-memory.dmp

Filesize
68KB

Download
memory/992-71-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-54-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download
memory/1528-68-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/1920-59-0x0000000000000000-mapping.dmp

Download