metamorpherrat | 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb

General

Target

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Size

78KB
MD5

f36c82d4adff5d05b7755ac1ce582be5
SHA1

9f5f2f973e6265a1558617182b3c0ed23ad98e5f
SHA256

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
SHA512

87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
SSDEEP

1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp832F.tmp.exe

pid process

1548 tmp832F.tmp.exe

pid	process
1548	tmp832F.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp832F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp832F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmp832F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Token: SeDebugPrivilege	1548	tmp832F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exe

description	pid	process	target process
PID 4880 wrote to memory of 4364	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 4880 wrote to memory of 4364	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 4880 wrote to memory of 4364	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 4364 wrote to memory of 1688	4364	vbc.exe	cvtres.exe
PID 4364 wrote to memory of 1688	4364	vbc.exe	cvtres.exe
PID 4364 wrote to memory of 1688	4364	vbc.exe	cvtres.exe
PID 4880 wrote to memory of 1548	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp832F.tmp.exe
PID 4880 wrote to memory of 1548	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp832F.tmp.exe
PID 4880 wrote to memory of 1548	4880	04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp832F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
"C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rb08i6_d.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C534670BA4D4AF9A062615651BCB84B.TMP"
3⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES84E4.tmp
Filesize
1KB

MD5
b58bef03b6554cc9118cb58040f52ae5

SHA1
3b814f1a6f875e293c99866e905a70bdf6e97f52

SHA256
4c43d62b7b814ed37e01f0512c8c977150b1e03907e100e96bf11e4bf7a25166

SHA512
7639559ed0d6b4d656bd96ccc4b034fbfa89a0c726eea3c074c93a9aae8837da16f504b1d65680e165e26cee99086147a30b69ad937f3bd72a02dbd6bc5ed4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rb08i6_d.0.vb
Filesize
14KB

MD5
3b7e3994102e2594f2c7f358f88514dd

SHA1
e9fb0e8e6548cec1907d268fee6a95fb1a1c86b5

SHA256
7527a83ae6ffbc0b163edb78a863dbf3d59d435f519ed5276bfd9383c37cdaad

SHA512
ebd1512733474ed6aec8a5b05e9069e9f8ed903bf197c203e537a2f1f1e9b73ae705120cf3790f6dc997e7190a2e680c1ea9ba2626976a0d84004221399f8be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rb08i6_d.cmdline
Filesize
266B

MD5
00928d54d041884b8f473cefbea108b0

SHA1
c26f7e9bcee807471d565d758ddd963aed40a657

SHA256
08d6bdf6cb8a5018dc9e5eb424e458353fabb60eaa01b25ae9b4b5f53c82e221

SHA512
96efcc675c32561b4aaf4440611a4dd11b1071df73e26f9937a59d2f0e1020cd7728c2b53fc159e10aec23ffcec77a84f1e514bc819f69b719e074fbc616d8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exe
Filesize
78KB

MD5
d3d12f3774fe6e0756713690892fe46f

SHA1
dd744d22d67abcda15be36512a88b0839b2f1a5c

SHA256
422a41377e75e6d1edfea75a46654a21ccf66a4009b04b1ca32239bb9c83008b

SHA512
7068c0f0c44c69278f8100948e0b37f42dba6cb5ff5e5caeaebd331b07f5f965f82ce3efcf7d8b553d0e3dd8e88246f4201113bcfd7ed7278a3bbc54875aa756

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exe
Filesize
78KB

MD5
d3d12f3774fe6e0756713690892fe46f

SHA1
dd744d22d67abcda15be36512a88b0839b2f1a5c

SHA256
422a41377e75e6d1edfea75a46654a21ccf66a4009b04b1ca32239bb9c83008b

SHA512
7068c0f0c44c69278f8100948e0b37f42dba6cb5ff5e5caeaebd331b07f5f965f82ce3efcf7d8b553d0e3dd8e88246f4201113bcfd7ed7278a3bbc54875aa756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6C534670BA4D4AF9A062615651BCB84B.TMP
Filesize
660B

MD5
284d2ad64cb5daca40637aa1dccb3881

SHA1
3a94ff2caf9f6a21f1a554bfd0c03aaac41c7b75

SHA256
fa6ecdaf6f92a463cc1a0f18066ab29a69421be175ca6686b4b99d6830b09478

SHA512
00ae1809bf5ed6c316ad2f472af720c062a1cd2991065643f594a1169a26ed6e4ca0cff949fed9826493ddcc58d80303ae35477e60b4e534e21d0ebeff51571b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1548-141-0x0000000000000000-mapping.dmp

Download
memory/1548-144-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/1548-145-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-137-0x0000000000000000-mapping.dmp

Download
memory/4364-133-0x0000000000000000-mapping.dmp

Download
memory/4880-132-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-143-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads