metamorpherrat | cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
Size

512KB
MD5

7986dfc5ba3a34272aad6b1128d04462
SHA1

1f26a98dafa6d33c09b57cc719df618eabe8d830
SHA256

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8
SHA512

4582fd8c31f977faf3c815723f77b95406e67de9d5405b20cb8e35586b3cf9deb0de1299779160a88274cc711a82d88dfe235d2e3ef9ea496a336ee6fc4dea80
SSDEEP

12288:Ih1Lk70TnvjcM5ez2rZEo2J1nPIs9iQLsRZYqhipVgtPp:Uk70TrcUTrV2J1nWQOce

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp9AF9.tmp.exe

pid process

948 tmp9AF9.tmp.exe

pid	process
948	tmp9AF9.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

pid	process
1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp9AF9.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Vsa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aspnet_filter.exe\""	tmp9AF9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exetmp9AF9.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
Token: SeDebugPrivilege	948	tmp9AF9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exevbc.exe

description	pid	process	target process
PID 1508 wrote to memory of 1444	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 1508 wrote to memory of 1444	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 1508 wrote to memory of 1444	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 1508 wrote to memory of 1444	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 1444 wrote to memory of 1760	1444	vbc.exe	cvtres.exe
PID 1444 wrote to memory of 1760	1444	vbc.exe	cvtres.exe
PID 1444 wrote to memory of 1760	1444	vbc.exe	cvtres.exe
PID 1444 wrote to memory of 1760	1444	vbc.exe	cvtres.exe
PID 1508 wrote to memory of 948	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmp9AF9.tmp.exe
PID 1508 wrote to memory of 948	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmp9AF9.tmp.exe
PID 1508 wrote to memory of 948	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmp9AF9.tmp.exe
PID 1508 wrote to memory of 948	1508	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmp9AF9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
"C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slo2ezhd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACF3.tmp"
3⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp9AF9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9AF9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAD03.tmp
Filesize
1KB

MD5
2c533d62cee3f47030f392e374103b00

SHA1
6d795426464444856cc9ae0d7e7a40482c4a9f34

SHA256
e06b5860c8e4f5be3234b900434704df4b811223ae9dda98edcc4e2388af7e55

SHA512
af35a8f3996b822d1f15f0ff25a67efa3ad41a8d90a63116c279cca59892f84a430b7182679c466bb4a22fb7b94ef5802d282fdc1eb94308c2e23c92b92f3184

Download Submit
C:\Users\Admin\AppData\Local\Temp\slo2ezhd.0.vb
Filesize
126KB

MD5
c21a0eb00928aef5685225f433bfb11d

SHA1
d62bb5478d1a1296ef974c869ab14523ba5149cb

SHA256
e944f72414b069f3ac5f42914c35b7139772df06312dedbab5e01581652bd824

SHA512
011b5118efd08c911ceb604aba6e8ff6e4bddabb2e9e90c59cc7e1d126d1cf2727097f88031d11c31a8c5f94da3b3bb02beee9f78f99410456255d997c2e3ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\slo2ezhd.cmdline
Filesize
266B

MD5
cacb65ca78cbb71e2c2c4cf70980666f

SHA1
0f3e889f6b54ec9f79644dcbfb058428324660f8

SHA256
a5aefc763544fefcf1ac7d627df3f627c90c4877581ab0364cca58c5f911d6ab

SHA512
29627f7c9161a08b01feccbf447e935787e8533a7b49c46faa84b4d823a406d3a7841b6e4c77abc11d983b79b0c8e442940a9c4e78eb6d837795a88034df365e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AF9.tmp.exe
Filesize
120KB

MD5
40c7a4de0f71fc0cd97897c1c846e66e

SHA1
45d2d9f71acab471821e28d58536e3fd190d7e20

SHA256
9b45903d9e952ee947a9913d55550a957255d2b400a47919aa1c05fb3aa70c4b

SHA512
1a2c416837a33a04fa3c1e82fea6d5d682b61785feef67b0e1f33f965b59600d8c1842bdbb5edf7b9e896514498c12c182496af535f15535639e19dcffc2c413

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AF9.tmp.exe
Filesize
120KB

MD5
40c7a4de0f71fc0cd97897c1c846e66e

SHA1
45d2d9f71acab471821e28d58536e3fd190d7e20

SHA256
9b45903d9e952ee947a9913d55550a957255d2b400a47919aa1c05fb3aa70c4b

SHA512
1a2c416837a33a04fa3c1e82fea6d5d682b61785feef67b0e1f33f965b59600d8c1842bdbb5edf7b9e896514498c12c182496af535f15535639e19dcffc2c413

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcACF3.tmp
Filesize
660B

MD5
82d0e034fb8f737486ec8c2562accea9

SHA1
620d3380ce5c091f1b80a42ceedb889a75280004

SHA256
ec95a47cad60a6b0005c708a5a950910f337843bb1f5aa5943db0c06bb4ef42e

SHA512
ddb0857d1c271694e2db951b4f2e5ac01b30d2264c0e9f478ed0f452548778c81c36115dfefedd89c6c50ad8ebf8b79f0df60863287225c4a35a2fa453df2148

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
b8fb7009403489ea2ceda4e5abb969aa

SHA1
caeeda2b652f02370501de51b599dc82b89a996b

SHA256
340012732dc6952273a5892d09869d171235b6221d0f6773b31c0df5a2b9e8d4

SHA512
9595f829f9354c9851fc4f280ecb642bb47881e0b920a031409f58e3cbbe0e6e881dc10a98a8d48b7459130f005ee1d00917f6a826ae9ae0bbe08ba9dafeb407

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9AF9.tmp.exe
Filesize
120KB

MD5
40c7a4de0f71fc0cd97897c1c846e66e

SHA1
45d2d9f71acab471821e28d58536e3fd190d7e20

SHA256
9b45903d9e952ee947a9913d55550a957255d2b400a47919aa1c05fb3aa70c4b

SHA512
1a2c416837a33a04fa3c1e82fea6d5d682b61785feef67b0e1f33f965b59600d8c1842bdbb5edf7b9e896514498c12c182496af535f15535639e19dcffc2c413

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9AF9.tmp.exe
Filesize
120KB

MD5
40c7a4de0f71fc0cd97897c1c846e66e

SHA1
45d2d9f71acab471821e28d58536e3fd190d7e20

SHA256
9b45903d9e952ee947a9913d55550a957255d2b400a47919aa1c05fb3aa70c4b

SHA512
1a2c416837a33a04fa3c1e82fea6d5d682b61785feef67b0e1f33f965b59600d8c1842bdbb5edf7b9e896514498c12c182496af535f15535639e19dcffc2c413

Download Submit
memory/948-72-0x0000000000BB5000-0x0000000000BC6000-memory.dmp

Filesize
68KB

Download
memory/948-66-0x0000000000000000-mapping.dmp

Download
memory/948-71-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/948-70-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1444-56-0x0000000000000000-mapping.dmp

Download
memory/1508-69-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-55-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download