metamorpherrat | a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933

General

Target

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Size

78KB
MD5

b08577bf2c8e0b1beaf1b07b30fb7ba4
SHA1

7dc41082c33bb9c2ba802c495aff3e5043c5808d
SHA256

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933
SHA512

edb177107973654efe5d0a27d93be2a801cdc2e106c6080a50ea29d77231f4683c9b4af07f17e56bb744630495c1e7a14bf3b221bebfc68ca2180aed55756488
SSDEEP

1536:tSV5OXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQts639/Vq1JM:tSV5GSyRxvY3md+dWWZy99/P

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp6F1A.tmp.exe

pid process

4892 tmp6F1A.tmp.exe

pid	process
4892	tmp6F1A.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp6F1A.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp6F1A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exetmp6F1A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Token: SeDebugPrivilege	4892	tmp6F1A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exevbc.exe

description	pid	process	target process
PID 528 wrote to memory of 1428	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 528 wrote to memory of 1428	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 528 wrote to memory of 1428	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	vbc.exe
PID 1428 wrote to memory of 2532	1428	vbc.exe	cvtres.exe
PID 1428 wrote to memory of 2532	1428	vbc.exe	cvtres.exe
PID 1428 wrote to memory of 2532	1428	vbc.exe	cvtres.exe
PID 528 wrote to memory of 4892	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmp6F1A.tmp.exe
PID 528 wrote to memory of 4892	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmp6F1A.tmp.exe
PID 528 wrote to memory of 4892	528	a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe	tmp6F1A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
"C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g4pnc6et.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7053.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30F07043550847D19B21AD7CBA06970.TMP"
3⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7053.tmp
Filesize
1KB

MD5
b482c738e7e6a0d7df77ca587d6b5f6d

SHA1
2bd4ae9346adbb691aa7c8424aeace78ac6fd5e4

SHA256
46712b182035b7eddfbf7a11201d93c14231dafb01ddabf7e6d797aaa75b7d7d

SHA512
449956a0198b0da057c08b40e3d0c90f210ce2dab000389686e2db8928dcf9531adb5947da252a01ccf62f68b541c6cce0f45a9d7b10bfca4c3f5fb8a1dcb8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4pnc6et.0.vb
Filesize
14KB

MD5
5bb81699addb123610accd5666822d9e

SHA1
67edbeefda02f6a2a7c1f46d9cb4888352eb55db

SHA256
6ce922917c0d4a5cfc570bb09ca4416cfcfcc7ab9cea860026820ba38f4d8ec7

SHA512
7ec1a5da86633381d4d34dda0e8065e85e171b8d83b309337ed9898efff2ed6ecef1490beec5b49813fb0ae27b85e7788eb75f53337d101ebe163de80882deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4pnc6et.cmdline
Filesize
266B

MD5
af37c2ef0272e993626bb48a6ba65ec2

SHA1
993274a7a190118dbccb365e2b375822112de81a

SHA256
1ad189acb54488204b513e46ef5bbd1642660c457a5d17cc4bed568344949b0a

SHA512
73aee9d5d2e7de5ba43a9f16961f246253f3abc48936d8c9aa03ccaa275427d47c91b20eb350aaed484a3e77b36616e02435a5ca0d5694c2a3ba932461891870

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exe
Filesize
78KB

MD5
584b67776a574277bf7dd3f516c225cc

SHA1
0f4a882189c7858bc44a75d1e60c4ddfefccc748

SHA256
463a67c57aaa3091b4b643322d587b0c84009c0a3c33fe33d6bfcee03bcb621f

SHA512
ec7fabafc6de6e0e27b8ed43f22e74351cebc712f537f9b423c408c3cbabaf5057755d44c57632d911fe4278ad6ea398accce4da4fcb6455e80c248cf7280c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exe
Filesize
78KB

MD5
584b67776a574277bf7dd3f516c225cc

SHA1
0f4a882189c7858bc44a75d1e60c4ddfefccc748

SHA256
463a67c57aaa3091b4b643322d587b0c84009c0a3c33fe33d6bfcee03bcb621f

SHA512
ec7fabafc6de6e0e27b8ed43f22e74351cebc712f537f9b423c408c3cbabaf5057755d44c57632d911fe4278ad6ea398accce4da4fcb6455e80c248cf7280c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc30F07043550847D19B21AD7CBA06970.TMP
Filesize
660B

MD5
81a3fbb3c94dde576aa95eee5d451320

SHA1
77210b35de1e01f7497a09a2b1bd1bf949970490

SHA256
7e741c1bf5e268edb470f85b6da9f4c0ef32e48df6e354ce8b3155bf6c33324f

SHA512
651b30d1b4c9f26566814caaa5bac942fea02fd3cf749e613ac4a1192229f43f943a304fa7bb130cada9b77f046943df7b55f07a12b974ad33bead1d70904a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/528-140-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/528-143-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1428-132-0x0000000000000000-mapping.dmp

Download
memory/2532-136-0x0000000000000000-mapping.dmp

Download
memory/4892-141-0x0000000000000000-mapping.dmp

Download
memory/4892-144-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads