metamorpherrat | b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e

Analysis

max time kernel
10s
max time network
14s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Size

78KB
MD5

a458a860cc198d046bd160f8dce82e13
SHA1

98b3e2bb8224e751135e9c2b74ed8a7f428cd66a
SHA256

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e
SHA512

bb9f213bb110615733628807537616bba34fb9895b3363516b97396a126942f003fe69a0808bcef7a410e58bba81430183b33187f292b0659377f39bb92d3891
SSDEEP

1536:8i5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtM699/0C19e:55jS7JywQjDgTLopLwdCFJzv9/e

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF596.tmp.exe

pid process

1344 tmpF596.tmp.exe

pid	process
1344	tmpF596.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe

pid	process
1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe

description pid process

Token: SeDebugPrivilege 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe

description	pid	process
Token: SeDebugPrivilege	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exevbc.exe

description	pid	process	target process
PID 1004 wrote to memory of 1600	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 1004 wrote to memory of 1600	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 1004 wrote to memory of 1600	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 1004 wrote to memory of 1600	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 1600 wrote to memory of 1536	1600	vbc.exe	cvtres.exe
PID 1600 wrote to memory of 1536	1600	vbc.exe	cvtres.exe
PID 1600 wrote to memory of 1536	1600	vbc.exe	cvtres.exe
PID 1600 wrote to memory of 1536	1600	vbc.exe	cvtres.exe
PID 1004 wrote to memory of 1344	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	tmpF596.tmp.exe
PID 1004 wrote to memory of 1344	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	tmpF596.tmp.exe
PID 1004 wrote to memory of 1344	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	tmpF596.tmp.exe
PID 1004 wrote to memory of 1344	1004	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	tmpF596.tmp.exe

C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
"C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\35afforh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6DE.tmp"
3⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
2⤵
- Executes dropped EXE
PID:1344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35afforh.0.vb
Filesize
14KB

MD5
fa830aa676ed1fb3be7d2329ab3da2f8

SHA1
87dd8f333b02f861a61c372934c77d559a23e60b

SHA256
bb9b2cdf79401bbdaac502484014278d6bb11ba4616a0efe74a9d08bda31ad9e

SHA512
a6bb04ab3d2eb9485aeeb78dc256b7e1c3079177c6018a3b0d972bc93126253dac1c71760b258456dbeef1c5ab5d2d8dc45fd0dd91b45d5d838bdc63956bfb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\35afforh.cmdline
Filesize
266B

MD5
387831b745cf64bd1fa9c08be5071e64

SHA1
2176e0081338379607eb0946853374c542c2ecc7

SHA256
1e75898ca825339a83572f7d9bb98f2315e658210f77d646608aec8b47cfe992

SHA512
61d0ac3dfae99ebe699d89eabcb09f0f72b058266ae7c327992d6f158d45f9432552919c4140f73ffee1d217b0daafd8719187938a3eabbf3d5e7b06cc75a236

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF6DF.tmp
Filesize
1KB

MD5
728c8c56470df407a52f1bfd19540cf4

SHA1
635fbffca73d409f945da4f282f1284658295701

SHA256
0a5b762063da4af53672d9549d9aa42bcda7be91de541b2c025b868f8bcd4d63

SHA512
8e571d95c3a2ec063f11925ffdf4f6ff6408b84e0259dfd8af575f45da0ee6f6686c9d271683219e4d44095e2e5b8b5350a88d27363281ff8bdc14b7119c5b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe
Filesize
78KB

MD5
c9b6c16b41fe675a60abb361c740250e

SHA1
3376625b24849a3d87e746eb0d273de58887192c

SHA256
7b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde

SHA512
e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe
Filesize
78KB

MD5
c9b6c16b41fe675a60abb361c740250e

SHA1
3376625b24849a3d87e746eb0d273de58887192c

SHA256
7b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde

SHA512
e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF6DE.tmp
Filesize
660B

MD5
2acd14aa4e1b35407d4eb6d5c679cf2c

SHA1
acbc43c3fde905bbcf241f6b4a3b976035291152

SHA256
348bff5895ae12ce22c3e162193836fca7fb8e2cb12d09e52ee14ee18f5829d3

SHA512
c1e59d2a6e213c7d854ebbf88f3e425ce6b7acd589474078476719d279e752189656927537a90e67c4b5b2aa4aae886a1fb97a49d98bcbd10edd96231270365d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe
Filesize
78KB

MD5
c9b6c16b41fe675a60abb361c740250e

SHA1
3376625b24849a3d87e746eb0d273de58887192c

SHA256
7b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde

SHA512
e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe
Filesize
78KB

MD5
c9b6c16b41fe675a60abb361c740250e

SHA1
3376625b24849a3d87e746eb0d273de58887192c

SHA256
7b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde

SHA512
e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb

Download Submit
memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1004-68-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-65-0x0000000000000000-mapping.dmp

Download
memory/1344-69-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-59-0x0000000000000000-mapping.dmp

Download
memory/1600-55-0x0000000000000000-mapping.dmp

Download