metamorpherrat | 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0

General

Target

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
Size

78KB
MD5

aa40f7549e3e95321864e35cdda455db
SHA1

7724c529780a900aaf3754b762f02dcd37a0877c
SHA256

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0
SHA512

344e73d0c57de54dd3e4a8b262602446354127f224f41485b3a567b4f1c9605fad1b0b75f4e2c8d7c88a3d3c518b1fa6992b73168fcfac10ffa430c619e1b8e2
SSDEEP

1536:1e58AvZv0kH9gDDtWzYCnJPeoYrGQt36xy9/K1kM:1e58Al0Y9MDYrm7x9/+

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp6EBC.tmp.exe

pid process

1964 tmp6EBC.tmp.exe

pid	process
1964	tmp6EBC.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp6EBC.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp6EBC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exetmp6EBC.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
Token: SeDebugPrivilege	1964	tmp6EBC.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exevbc.exe

description	pid	process	target process
PID 4532 wrote to memory of 5056	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 4532 wrote to memory of 5056	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 4532 wrote to memory of 5056	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 5056 wrote to memory of 1432	5056	vbc.exe	cvtres.exe
PID 5056 wrote to memory of 1432	5056	vbc.exe	cvtres.exe
PID 5056 wrote to memory of 1432	5056	vbc.exe	cvtres.exe
PID 4532 wrote to memory of 1964	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp6EBC.tmp.exe
PID 4532 wrote to memory of 1964	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp6EBC.tmp.exe
PID 4532 wrote to memory of 1964	4532	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp6EBC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
"C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rel61olb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7081.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2181DF4418924571A3EDFC6E638876F3.TMP"
3⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7081.tmp
Filesize
1KB

MD5
205d3d08c5dac862338f3869806ea801

SHA1
a9db6c370f95a49a969a7c08ac63cadca943b1cf

SHA256
78c1fd7adb7199774f272345cf3124a22fca876d99e7abd48d5a1af644e517ed

SHA512
60f6747643e8e1318e5367f514cbe4b6ae56c36797a24d26f217ae1d55d87334c7f4b5ecedd0daa35e433400a6252980dca0bc0040cea1b3c1a3729df4e52209

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel61olb.0.vb
Filesize
14KB

MD5
18bcb17197e9a8ae3a1a072159b822ea

SHA1
3821428510b25a051e09e8983e92b2aa4a762e06

SHA256
8ee0bc2c0dc29ba1e2331213df8bab5ba68a74357b72f09f0693a646db75ef77

SHA512
16d75da489e91247bd93f223b4f361dbb7c19d65a954e38174a55967abbd2ae787aa2c53711a8109e9aafc9584b25fbcacbdc06a61347585c26b061b948efa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel61olb.cmdline
Filesize
266B

MD5
f886319f456b3606fbb704eb55d93099

SHA1
d54bd917ddb7c606d7958196b7e6b9797eded2cf

SHA256
7617a4c5d3d7b7b5819e77d13fce62abf76943e906e2c42aa4c5d0ea71f89c02

SHA512
82530941c1c4d48b41f1cac195dbb4177b2e096fb24355298ed9bd8ef01c6a278258f189348fda78ae6080d6c1db5b8e197e3735c0b0ab5032b420b1b8b05e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exe
Filesize
78KB

MD5
e0fe03a508808615c87fedc530934e11

SHA1
e379b4d4c95f3d0d89e3d8990dfd81db569711c6

SHA256
81f26cb2740dd65ec4350910f1d8640b5594ca7f53ef6e7f3a03c23d4a1b3e3a

SHA512
0046eadb0316ced14a281d06d1242a06af274f9d67051c5e4937c7a6078d147863437ce77dc26840856814412057b0b8eedf1225b21e894289854ed69a8c3e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exe
Filesize
78KB

MD5
e0fe03a508808615c87fedc530934e11

SHA1
e379b4d4c95f3d0d89e3d8990dfd81db569711c6

SHA256
81f26cb2740dd65ec4350910f1d8640b5594ca7f53ef6e7f3a03c23d4a1b3e3a

SHA512
0046eadb0316ced14a281d06d1242a06af274f9d67051c5e4937c7a6078d147863437ce77dc26840856814412057b0b8eedf1225b21e894289854ed69a8c3e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2181DF4418924571A3EDFC6E638876F3.TMP
Filesize
660B

MD5
d0bb4930d772e9aed0cad76f573f0122

SHA1
67dedfc5abccc433197d269c58546a761fc975c6

SHA256
63b7723f652a1fc70df88a477f399c38e0b1bcf876d91aa8264b9ae12a618dee

SHA512
98a4e27d1c00e7ef3b22b14b1a04d886eac692f0d3db5d34ff05df52c73fad72c594417697dcb4faa5feb45b5df46cda49022e4882faa52f9a3e1a90d5d395ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1432-137-0x0000000000000000-mapping.dmp

Download
memory/1964-141-0x0000000000000000-mapping.dmp

Download
memory/1964-144-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/4532-135-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/4532-143-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads