metamorpherrat | 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73

Analysis

max time kernel
1800s
max time network
1803s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-06-2022 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Size

78KB
MD5

b6e8fa374675658ee48142da90c14bd6
SHA1

53ec1171fda63af0eae7e440bc6aa0d7bf3094b5
SHA256

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73
SHA512

86568c84272077e3f295d47805c337981ec59d9f56d3c258a8fd1c0ad5aed996e53d9d1604ada5c01abb21c01340d3302e1ac72dfa4b798e98bf51e0c1ce5e4d

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpECFE.tmp.exe

pid process

1684 tmpECFE.tmp.exe

pid	process
1684	tmpECFE.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe

pid	process
1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpECFE.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpECFE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exetmpECFE.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Token: SeDebugPrivilege	1684	tmpECFE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exevbc.exe

description	pid	process	target process
PID 1452 wrote to memory of 1504	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 1452 wrote to memory of 1504	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 1452 wrote to memory of 1504	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 1452 wrote to memory of 1504	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 1504 wrote to memory of 1696	1504	vbc.exe	cvtres.exe
PID 1504 wrote to memory of 1696	1504	vbc.exe	cvtres.exe
PID 1504 wrote to memory of 1696	1504	vbc.exe	cvtres.exe
PID 1504 wrote to memory of 1696	1504	vbc.exe	cvtres.exe
PID 1452 wrote to memory of 1684	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpECFE.tmp.exe
PID 1452 wrote to memory of 1684	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpECFE.tmp.exe
PID 1452 wrote to memory of 1684	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpECFE.tmp.exe
PID 1452 wrote to memory of 1684	1452	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpECFE.tmp.exe

C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
"C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\arie2xl2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE75.tmp"
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEE76.tmp
Filesize
1KB

MD5
2aa4bfe644d395d1d95b376708a37115

SHA1
d52e016847b56a808b658f4bc6ef0000a3d4b043

SHA256
ceced198ec733bfeb6bf4c4e2b995c1f6038d3757e9de9c996fd4358ac2ec135

SHA512
9f4a11ec464745c297bcc2966524b7c97c3f67fdb49a0189e24cf2f6542a29d5728803b6c2d9292e0f10725cd8a2d5525597592d01a36bf9832fb8312dca2f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\arie2xl2.0.vb
Filesize
14KB

MD5
fe1a602c237b40c59164bc689e0da074

SHA1
e1eb28336cf9a476458b492523194f19ba6a6382

SHA256
32d98468e6adb2d5234a06417fc001d5fc89492659a76f7bf406dfafdae0a984

SHA512
5a528d69d478d127febf8be55aeca98b74f7bea9d6a9f8f9d5c7066ef9533dd4947ce0fe92f1637bfb60c94fa487e345537e07345dc4956e0075fb18cee42000

Download Submit
C:\Users\Admin\AppData\Local\Temp\arie2xl2.cmdline
Filesize
266B

MD5
8d0da827aa0118448698d9ddc00bd1dc

SHA1
8277b6eb7bd72e87a7b9609045829b48219e0446

SHA256
49bd3f16bb7cba674b02a9a07d1e5299f59e7f5cf7327f83caeee16b624a53d0

SHA512
ed6f01156c57c7f5f1421c34dd49c2fd4b95cef598eb4fb05ef532efaded7634fc31dd5357acb73e5b5be56bcedff83eb76df82fa4e81547a687fce8d4c286b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe
Filesize
78KB

MD5
0e3bb356ae4f02ca2de07dcb55d6d759

SHA1
8a3277da90aafdfa0c28d05a10e160eae0fef4ce

SHA256
6d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f

SHA512
ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe
Filesize
78KB

MD5
0e3bb356ae4f02ca2de07dcb55d6d759

SHA1
8a3277da90aafdfa0c28d05a10e160eae0fef4ce

SHA256
6d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f

SHA512
ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE75.tmp
Filesize
660B

MD5
4354cb779e65801ab9c18091ac3475e8

SHA1
34b6831140d6bb5d67b211f45c422f46678e9e18

SHA256
2d19cd85acfe034a89f9855b3e2ca9711c5cdc8cd172285ca53fbffca5aa8ce5

SHA512
d1bc6af96b6d30afd3c72bebe14cac0a378338d496d3752e609b426e2e10da3d91fbc7f944f5956e5a4d1eccf112ffe2017b19bee31f33c9c1a3a6998ec873cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe
Filesize
78KB

MD5
0e3bb356ae4f02ca2de07dcb55d6d759

SHA1
8a3277da90aafdfa0c28d05a10e160eae0fef4ce

SHA256
6d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f

SHA512
ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6

Download Submit
\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe
Filesize
78KB

MD5
0e3bb356ae4f02ca2de07dcb55d6d759

SHA1
8a3277da90aafdfa0c28d05a10e160eae0fef4ce

SHA256
6d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f

SHA512
ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6

Download Submit
memory/1452-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1452-68-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-55-0x0000000000000000-mapping.dmp

Download
memory/1684-65-0x0000000000000000-mapping.dmp

Download
memory/1684-69-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-70-0x00000000003C5000-0x00000000003D6000-memory.dmp

Filesize
68KB

Download
memory/1684-71-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-59-0x0000000000000000-mapping.dmp

Download