metamorpherrat | 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a

Analysis

max time kernel
11s
max time network
14s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
Size

78KB
MD5

ffc69516a66858e500dcc05a39fa3d78
SHA1

806791dd76c2419e5c1ee1c61f661babf2d2bb83
SHA256

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a
SHA512

fa1e052c94236ffdcecadce525a29af2fa6fa6eb48b03f6e9254e1ca36a88ec7c3c7dddbd1e9bce5d4338da5da164870408f03a14111577ad2702fb2fe2ed081
SSDEEP

1536:cRy58MpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd69v9/S1Zm:cRy58iJywQjDgTLopLwdCFJz+v9/D

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1527.tmp.exe

pid process

848 tmp1527.tmp.exe

pid	process
848	tmp1527.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

pid	process
1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

description pid process

Token: SeDebugPrivilege 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

description	pid	process
Token: SeDebugPrivilege	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exevbc.exe

description	pid	process	target process
PID 1380 wrote to memory of 1188	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 1380 wrote to memory of 1188	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 1380 wrote to memory of 1188	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 1380 wrote to memory of 1188	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 1188 wrote to memory of 1608	1188	vbc.exe	cvtres.exe
PID 1188 wrote to memory of 1608	1188	vbc.exe	cvtres.exe
PID 1188 wrote to memory of 1608	1188	vbc.exe	cvtres.exe
PID 1188 wrote to memory of 1608	1188	vbc.exe	cvtres.exe
PID 1380 wrote to memory of 848	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp1527.tmp.exe
PID 1380 wrote to memory of 848	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp1527.tmp.exe
PID 1380 wrote to memory of 848	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp1527.tmp.exe
PID 1380 wrote to memory of 848	1380	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp1527.tmp.exe

C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
"C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b9f2lzff.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16AD.tmp"
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe" C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
2⤵
- Executes dropped EXE
PID:848

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES16AE.tmp
Filesize
1KB

MD5
6a4c912b60f3fd7a758fd1b9d725bd41

SHA1
6fbf454ebc922068e3a87aea75d29ca0187f201d

SHA256
4b00f505bb9c1dbcb05fd948a9d350e6863d08e9bd779558785716be45070bbb

SHA512
00ddecb787f37289adf56c4ee91a9a68e79963fb18b1ea9138a233a5a606dc54d98d27167c46dec23641f657625ab3a6eacf4f12e0d1a0a6b1a0b3fdbe091890

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f2lzff.0.vb
Filesize
14KB

MD5
d627fc097a234fa11894089a0159679b

SHA1
cd39b6cfc1ff6f898243d90d120cf982daec03a1

SHA256
6a1c854fa4cee8b8212cba66cb61eaec208ce3533f76ad71f2fbeb0eb87b3905

SHA512
278d74b5623dec0759ad5d96d546da5181beea8764cfeb6d9b303b2efa87e34d36b086d18eddf058dd0ce1ac7279176c932b86aa7ee0017437ff4594861bb224

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f2lzff.cmdline
Filesize
266B

MD5
eb871c138721635c50536f6169b55a4c

SHA1
fa165ad54a5d995390687f9167cc1d3e401dcb07

SHA256
d61078243a1131f4c2b3f37956455148bcf691dbb7f19149e10bf7778e33dc05

SHA512
b94e564421ed8a69cfcd3bdb5507dc453e983e45047765dd293bf82ff44f4f2ee528804d8a69f17a0f00ff4b4bb6cf549cd309a6f59ee71bb062061d36f5fccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe
Filesize
78KB

MD5
7574119fea41b1e1d7d87342dcf0875f

SHA1
d1970cca1ffd7c4faf403135da1d1af11afb0ff1

SHA256
317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158

SHA512
2a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe
Filesize
78KB

MD5
7574119fea41b1e1d7d87342dcf0875f

SHA1
d1970cca1ffd7c4faf403135da1d1af11afb0ff1

SHA256
317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158

SHA512
2a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc16AD.tmp
Filesize
660B

MD5
48a09e326b018f147aacb9a66dbcae40

SHA1
84be259b8839e898c31b7a33dda4d2d88a8470ba

SHA256
97e0f6937f802dbe538a28301d48a70e08c9dc56a2e08404328c644a8d65aa41

SHA512
b0b0615c53ebdbd9bd704b6f55713bc5b7f92d00dceb1b36a335460d7da998f89ca0130796c39d1bd89dfb3da59977e05dbbfc60dfa69ed9a57faf1e017cc8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe
Filesize
78KB

MD5
7574119fea41b1e1d7d87342dcf0875f

SHA1
d1970cca1ffd7c4faf403135da1d1af11afb0ff1

SHA256
317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158

SHA512
2a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe
Filesize
78KB

MD5
7574119fea41b1e1d7d87342dcf0875f

SHA1
d1970cca1ffd7c4faf403135da1d1af11afb0ff1

SHA256
317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158

SHA512
2a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba

Download Submit
memory/848-65-0x0000000000000000-mapping.dmp

Download
memory/848-68-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1188-55-0x0000000000000000-mapping.dmp

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-69-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-59-0x0000000000000000-mapping.dmp

Download