metamorpherrat | 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Size

78KB
MD5

f36c82d4adff5d05b7755ac1ce582be5
SHA1

9f5f2f973e6265a1558617182b3c0ed23ad98e5f
SHA256

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
SHA512

87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
SSDEEP

1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF02A.tmp.exe

pid process

1460 tmpF02A.tmp.exe

pid	process
1460	tmpF02A.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

pid	process
1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF02A.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpF02A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmpF02A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Token: SeDebugPrivilege	1460	tmpF02A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exe

description	pid	process	target process
PID 1964 wrote to memory of 2016	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1964 wrote to memory of 2016	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1964 wrote to memory of 2016	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1964 wrote to memory of 2016	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 2016 wrote to memory of 1496	2016	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1496	2016	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1496	2016	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 1496	2016	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 1460	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmpF02A.tmp.exe
PID 1964 wrote to memory of 1460	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmpF02A.tmp.exe
PID 1964 wrote to memory of 1460	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmpF02A.tmp.exe
PID 1964 wrote to memory of 1460	1964	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmpF02A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
"C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h8afveas.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1BF.tmp"
3⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmpF02A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF02A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF1C0.tmp
Filesize
1KB

MD5
d1f0d71e733d4975e1bb5188258f5420

SHA1
573ea01e4bb96cd164c9f4d6760bd5cf743a2163

SHA256
1c38131d4f538837cb3456a9102fefb02291dc8547ead5d60255e629c02ece53

SHA512
8170b5e6c84d0050b87b13096277d00a0b578573e3e72569e0f27adfee837b0994c2f92d0b3feffba3b34fc60df2a37fbaca0a9f27e0237e1f26fd26c95172d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8afveas.0.vb
Filesize
14KB

MD5
da109c193654dbf730b1277b0a8924e9

SHA1
ab7f1a046cb71affc5fc70717ccbf72a2f6e820e

SHA256
1649e4acebaf93c98a18938ee3f274bdc1230d74d3843ee289d4a14af34e3249

SHA512
442fa6d47d1e58cb8ecab1d8f974c96b1eb08a25987e8f8a2185875ee3851f8d04f0116429a7374d3f902139252bdef04536fc9595a079804524d7ff8fbb9a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8afveas.cmdline
Filesize
266B

MD5
f953e08775d57395c270402403763bd2

SHA1
b8f962eb10fd4cd253329299fb94d2a4169dd446

SHA256
5dcae7e532733ce48a2f25b8ba257c3737c52606b5ebb04747ebb17fde2d9059

SHA512
54f2d002d2cac94f32b18a10661a6157235be2f3c3f72392a121f51974e73b04f68340d5a160b07914f0578dfb2296057fe6374014c2e9f207ecdf26294cc725

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF02A.tmp.exe
Filesize
78KB

MD5
6686701f03a00987d41cc67794402028

SHA1
2a544081e0e08bc208c69596de5e70eb837020da

SHA256
3f31a2275da18056ea3a8b58439933ad7c98fe289c1cc0975e89140a06f43026

SHA512
d58cf27564d5a39bafba672627f5760504e423f4c4dd1c3cd1e148530bcf2316a8373462a160ebfd8482208b01d279df9e875baf732baa56e82e85fd78743816

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF02A.tmp.exe
Filesize
78KB

MD5
6686701f03a00987d41cc67794402028

SHA1
2a544081e0e08bc208c69596de5e70eb837020da

SHA256
3f31a2275da18056ea3a8b58439933ad7c98fe289c1cc0975e89140a06f43026

SHA512
d58cf27564d5a39bafba672627f5760504e423f4c4dd1c3cd1e148530bcf2316a8373462a160ebfd8482208b01d279df9e875baf732baa56e82e85fd78743816

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF1BF.tmp
Filesize
660B

MD5
237103bf6291e8ada82fac8a39d7cf2e

SHA1
eef743c09235c4c023c20b1e78f510ffba896aed

SHA256
4799734ded67eb41a722adb1cda0680d1a6924aaea02e480c86cf57b4ac4ac15

SHA512
c29f61f15054a4306406d97902cdabdbb0d841188ae24d391e093c75acdd657eb3e857f7ba848c4a7fbd8bf1edb0d5fb574432b846c148202ea61fc88af92b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF02A.tmp.exe
Filesize
78KB

MD5
6686701f03a00987d41cc67794402028

SHA1
2a544081e0e08bc208c69596de5e70eb837020da

SHA256
3f31a2275da18056ea3a8b58439933ad7c98fe289c1cc0975e89140a06f43026

SHA512
d58cf27564d5a39bafba672627f5760504e423f4c4dd1c3cd1e148530bcf2316a8373462a160ebfd8482208b01d279df9e875baf732baa56e82e85fd78743816

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF02A.tmp.exe
Filesize
78KB

MD5
6686701f03a00987d41cc67794402028

SHA1
2a544081e0e08bc208c69596de5e70eb837020da

SHA256
3f31a2275da18056ea3a8b58439933ad7c98fe289c1cc0975e89140a06f43026

SHA512
d58cf27564d5a39bafba672627f5760504e423f4c4dd1c3cd1e148530bcf2316a8373462a160ebfd8482208b01d279df9e875baf732baa56e82e85fd78743816

Download Submit
memory/1460-65-0x0000000000000000-mapping.dmp

Download
memory/1460-69-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1460-70-0x00000000020B5000-0x00000000020C6000-memory.dmp

Filesize
68KB

Download
memory/1460-71-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1964-68-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-55-0x0000000000000000-mapping.dmp

Download