metamorpherrat | cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8

General

Target

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
Size

512KB
MD5

7986dfc5ba3a34272aad6b1128d04462
SHA1

1f26a98dafa6d33c09b57cc719df618eabe8d830
SHA256

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8
SHA512

4582fd8c31f977faf3c815723f77b95406e67de9d5405b20cb8e35586b3cf9deb0de1299779160a88274cc711a82d88dfe235d2e3ef9ea496a336ee6fc4dea80
SSDEEP

12288:Ih1Lk70TnvjcM5ez2rZEo2J1nPIs9iQLsRZYqhipVgtPp:Uk70TrcUTrV2J1nWQOce

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC681.tmp.exe

pid process

3760 tmpC681.tmp.exe

pid	process
3760	tmpC681.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpC681.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft.Vsa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aspnet_filter.exe\""	tmpC681.tmp.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
File created	C:\Windows\assembly\Desktop.ini	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

Drops file in Windows directory 3 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
File created	C:\Windows\assembly\Desktop.ini	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exetmpC681.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
Token: SeDebugPrivilege	3760	tmpC681.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exevbc.exe

description	pid	process	target process
PID 2264 wrote to memory of 4368	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 2264 wrote to memory of 4368	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 2264 wrote to memory of 4368	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	vbc.exe
PID 4368 wrote to memory of 3804	4368	vbc.exe	cvtres.exe
PID 4368 wrote to memory of 3804	4368	vbc.exe	cvtres.exe
PID 4368 wrote to memory of 3804	4368	vbc.exe	cvtres.exe
PID 2264 wrote to memory of 3760	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmpC681.tmp.exe
PID 2264 wrote to memory of 3760	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmpC681.tmp.exe
PID 2264 wrote to memory of 3760	2264	cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe	tmpC681.tmp.exe

C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
"C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sobj64ph.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBC0FBEFC561474E82DEE431658AE713.TMP"
3⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD3EF.tmp
Filesize
1KB

MD5
b89a756808ba630c0b8a1968bb28e66a

SHA1
cd19b480e26113398609f6db266e0a1a5adaf848

SHA256
f666a76981e350a1cca5b6b2cb79f42a811fb1caddaaaad25da37f041b73d5a8

SHA512
087047efb59d84321e6ab45e907c8471225bd39dd51a6a3e76151f509156c86aa9d89b8290ae7eb5e3e426f9f8f2a4b2de9c69bce1dce25c28107989ccf2af27

Download Submit
C:\Users\Admin\AppData\Local\Temp\sobj64ph.0.vb
Filesize
128KB

MD5
3686f2cad7093f6d75baaede236fd4a7

SHA1
e87de078a4e9c303b56fc9bc6f1da4d55a6d821e

SHA256
2c79fd2da4f98234f32651b025605f08d9b822c8aeecae4f7d36b3509dc83eac

SHA512
d6571ec24f4d8496e3411fd0da45097f7cdacbd454a644316dcbce80b81c6f0263d2fd5f8b2775e8f8ef7cf69b7233dca3576fab9ca6f9f4812992d55fc2b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\sobj64ph.cmdline
Filesize
266B

MD5
3a4421cea468529c0ffcd4a30279e52a

SHA1
5df59be8b7a95a232e65e02522dc7b9845def189

SHA256
26fbfaff5748abdd355892d50c64c628d85e272978cf7a59d1239c5ce97b9c0f

SHA512
03c6e338851001ac4ceef4470e0cac87ee0a6925f7a445efd2732a4be1c2c884d61e6d98bdbdbae441c8481e0581b36b5ec094a5e0e6c135ac5e76842e43f70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exe
Filesize
121KB

MD5
e38ac741ed5e75255952e11b6706d1a1

SHA1
4afe1cffb78c1ed750dd66aab0f02f3e473b7bfd

SHA256
023c002ac652b745a82efbd40db840f8eb38710d06afd6a3500023f470cd8122

SHA512
5a37a71729832ad753ec9377dc46621a4a3103f873286b63aa708f6801856d7cc9f5d226d71ff52f8960f20f5941bc845c58c1ffd09fcf91f7adc9f5c0c2e1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exe
Filesize
121KB

MD5
e38ac741ed5e75255952e11b6706d1a1

SHA1
4afe1cffb78c1ed750dd66aab0f02f3e473b7bfd

SHA256
023c002ac652b745a82efbd40db840f8eb38710d06afd6a3500023f470cd8122

SHA512
5a37a71729832ad753ec9377dc46621a4a3103f873286b63aa708f6801856d7cc9f5d226d71ff52f8960f20f5941bc845c58c1ffd09fcf91f7adc9f5c0c2e1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEBC0FBEFC561474E82DEE431658AE713.TMP
Filesize
660B

MD5
d56d06d264cfa82c1d49c87118356f3e

SHA1
a5ea8abbed641a4c0098d31526aa2e2442b14370

SHA256
a3b101bed5323dc9e223af3ff2b1df6eebe4f7b6cbd2d42aef3311fca30ed7f3

SHA512
f03ab2c866b8f516085ecff3ebe7b1a03e8269bbd5ac6bb0e60a0d1761012b4169c9490b574aea1182d3f6dfe3bb7631103aa202149be1cbc826de48966a0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
b8fb7009403489ea2ceda4e5abb969aa

SHA1
caeeda2b652f02370501de51b599dc82b89a996b

SHA256
340012732dc6952273a5892d09869d171235b6221d0f6773b31c0df5a2b9e8d4

SHA512
9595f829f9354c9851fc4f280ecb642bb47881e0b920a031409f58e3cbbe0e6e881dc10a98a8d48b7459130f005ee1d00917f6a826ae9ae0bbe08ba9dafeb407

Download Submit
memory/2264-132-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2264-143-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3760-141-0x0000000000000000-mapping.dmp

Download
memory/3760-144-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3760-145-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3804-137-0x0000000000000000-mapping.dmp

Download
memory/4368-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads