metamorpherrat | a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933

Analysis

max time kernel
9s
max time network
12s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Size

78KB
MD5

b08577bf2c8e0b1beaf1b07b30fb7ba4
SHA1

7dc41082c33bb9c2ba802c495aff3e5043c5808d
SHA256

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933
SHA512

edb177107973654efe5d0a27d93be2a801cdc2e106c6080a50ea29d77231f4683c9b4af07f17e56bb744630495c1e7a14bf3b221bebfc68ca2180aed55756488
SSDEEP

1536:tSV5OXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQts639/Vq1JM:tSV5GSyRxvY3md+dWWZy99/P

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF651.tmp.exe

pid process

1664 tmpF651.tmp.exe

pid	process
1664	tmpF651.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe

pid	process
828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF651.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpF651.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exetmpF651.tmp.exe

description	pid	process
Token: SeDebugPrivilege	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Token: SeDebugPrivilege	1664	tmpF651.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exevbc.exe

description	pid	process	target process
PID 828 wrote to memory of 1948	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 828 wrote to memory of 1948	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 828 wrote to memory of 1948	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 828 wrote to memory of 1948	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 1948 wrote to memory of 1744	1948	vbc.exe	cvtres.exe
PID 1948 wrote to memory of 1744	1948	vbc.exe	cvtres.exe
PID 1948 wrote to memory of 1744	1948	vbc.exe	cvtres.exe
PID 1948 wrote to memory of 1744	1948	vbc.exe	cvtres.exe
PID 828 wrote to memory of 1664	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmpF651.tmp.exe
PID 828 wrote to memory of 1664	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmpF651.tmp.exe
PID 828 wrote to memory of 1664	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmpF651.tmp.exe
PID 828 wrote to memory of 1664	828	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmpF651.tmp.exe

C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
"C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mjgdaadi.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7C8.tmp"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1664

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF7C9.tmp
Filesize
1KB

MD5
7b0d6e4b715e2c940cabe298f52e7ad8

SHA1
18b7e9173a6d3d50fd32e6a98b114f3173517ecd

SHA256
d68e8bdf0c5c513d00e65b859a1944ce2868e0d324ca626b644ba82a87198274

SHA512
7df4e89f6713ed7675d04cf179804b6fc322aeecf54023636e47e64f91a30cab0dcffb03ef256b9d3809ee271114a8b8c123727ae932e2f9f71281879e3449c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjgdaadi.0.vb
Filesize
14KB

MD5
b6933af07b647101af5de45e8a284c87

SHA1
cf9b9821561e2f5deaf8caed4a02dd81e91a1c61

SHA256
3fb32cd61908e471080050862a4631b4685fb70af4e097627451382bcfb779b6

SHA512
123e816790408b013d73f55f6485d8001b11687bc555d7e6100631f5a8b9707da7b4d0c489a85eea52f91559a432c26adb195916dd6fe0a6ee304e66680bd6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjgdaadi.cmdline
Filesize
266B

MD5
d3c1d08af83c1a692fad9dd44dbfc8d3

SHA1
cb3227fcd970e717867a13ac79aa26b2ceaf47c7

SHA256
ed6b38f8cd0d98ffead3e2e42bcad507407453989448711dcbd09230c6d98299

SHA512
0b2e6ba7ef793ad269da6522657b8bd204b38592d3d58c55065cc10002209da9fca16384c22b44f4ed4d208e32ef01f5025476f4a3957dc2e999c8f5811bcdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe
Filesize
78KB

MD5
238aee89bb52b80dbca05b8a078a7351

SHA1
aedd5f06957b065c2cf22e082c20cb5dc59f4c14

SHA256
d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64

SHA512
b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe
Filesize
78KB

MD5
238aee89bb52b80dbca05b8a078a7351

SHA1
aedd5f06957b065c2cf22e082c20cb5dc59f4c14

SHA256
d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64

SHA512
b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF7C8.tmp
Filesize
660B

MD5
902836b1ba0a2b8c08bbd62715b6fee7

SHA1
a81290fe5615dccfecc990e8085bc6b76a4c735f

SHA256
8814d26ea808d7a599ccb1a5c14d2758fbd18bc7ba37e0d5bcbbe14858ae63e6

SHA512
498002705109a60c814924b8d7a77c986c82bc287d4471526ddf8fd340dd54c65fd7d69dfdb01ec92d8269680beae17a2bf34b6cc3b39007e63b96021d3ce64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe
Filesize
78KB

MD5
238aee89bb52b80dbca05b8a078a7351

SHA1
aedd5f06957b065c2cf22e082c20cb5dc59f4c14

SHA256
d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64

SHA512
b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe
Filesize
78KB

MD5
238aee89bb52b80dbca05b8a078a7351

SHA1
aedd5f06957b065c2cf22e082c20cb5dc59f4c14

SHA256
d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64

SHA512
b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991

Download Submit
memory/828-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/828-68-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-65-0x0000000000000000-mapping.dmp

Download
memory/1664-69-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-59-0x0000000000000000-mapping.dmp

Download
memory/1948-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads