metamorpherrat | 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
Size

78KB
MD5

abc3226e9fd2606a3a3d6568c2a717bf
SHA1

62d6486d7d04639445f90eb9943fa9b0a3e1222e
SHA256

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d
SHA512

f81bc5d0351603378ef52babdaa51571db6990bdd929cdb388e9c4a53642d6203619ca94f5144c8bda1b9992c18b8cde89de2a0bbd9bc327b4e1894a41d64438
SSDEEP

1536:g5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC689/d1hM:g5j9n7N041QqhgE9/G

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF99C.tmp.exe

pid process

1904 tmpF99C.tmp.exe

pid	process
1904	tmpF99C.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe

pid	process
960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF99C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpF99C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exetmpF99C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
Token: SeDebugPrivilege	1904	tmpF99C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exevbc.exe

description	pid	process	target process
PID 960 wrote to memory of 1992	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 960 wrote to memory of 1992	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 960 wrote to memory of 1992	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 960 wrote to memory of 1992	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 1992 wrote to memory of 1484	1992	vbc.exe	cvtres.exe
PID 1992 wrote to memory of 1484	1992	vbc.exe	cvtres.exe
PID 1992 wrote to memory of 1484	1992	vbc.exe	cvtres.exe
PID 1992 wrote to memory of 1484	1992	vbc.exe	cvtres.exe
PID 960 wrote to memory of 1904	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmpF99C.tmp.exe
PID 960 wrote to memory of 1904	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmpF99C.tmp.exe
PID 960 wrote to memory of 1904	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmpF99C.tmp.exe
PID 960 wrote to memory of 1904	960	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmpF99C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
"C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pqbr5mlm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB8F.tmp"
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmpF99C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF99C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB90.tmp
Filesize
1KB

MD5
6bcee7299f560cc66e70b2333f5c55f7

SHA1
17fef711b79b82ebe90506e0ddab7ca053ee7346

SHA256
210dfbf6f1e120b16b3fc33c8e9457fe1a41aa551a912e786c369b8f4b62c70a

SHA512
1ff7a0d0f69fc62dbe6f4af7e47cfcea5146ff5394f0226370e4e7d37098ec438ffa5e3db3b913ae6ec55420f4f81e6198224ac3a2653955210eae7e2ae1afa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqbr5mlm.0.vb
Filesize
14KB

MD5
6a07772bfa241aa8e8f3cb109520d655

SHA1
41419332ebd9498afdf0fd8ca78dc2c84b844574

SHA256
e9d7779e9e04a9d0e4508240bb880dfdfec3c12d866236d67af83d88ddd93bc2

SHA512
b39d56bf7b2d49e7554cf900eb5bc133d7c40b8bd9180c2613be2c962f43059c086a46b097090f879750cdc2aa53f303bf13e35a93e4f94ce248a161c09e397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqbr5mlm.cmdline
Filesize
266B

MD5
557c29517671c1ea2a3d857bb84a8d83

SHA1
e9d25114d9c11314c4b8b4091b4538ddac508a6d

SHA256
e057778d109e05c0d94c117606f18e4d137b9d8af3b2940b4735d1dafababf38

SHA512
69c2c4ad28d132f853009368ac1db884770d81250fd083fabbea1ed8a4713b0bf74d32bbd89f036101c8d21371a46c63217f1fdfa719012d88698e1f6ae887aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF99C.tmp.exe
Filesize
78KB

MD5
3627e4e163412c8ebe75269afff6754d

SHA1
3df5eb0cd3da7a433172d0022b966bb240064828

SHA256
6e8351779457b379690f5cfffd6ad74a0cae40299d7fd28cd11bedf29b3642c5

SHA512
19a991a32998f211cdf5a9fd2f180a85ff1b05c62e0d98f39863ce49a9698a14d372f94d76d6552449943e2d9f9fbeae10c90714e6e4eb7671282cbd7159f1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF99C.tmp.exe
Filesize
78KB

MD5
3627e4e163412c8ebe75269afff6754d

SHA1
3df5eb0cd3da7a433172d0022b966bb240064828

SHA256
6e8351779457b379690f5cfffd6ad74a0cae40299d7fd28cd11bedf29b3642c5

SHA512
19a991a32998f211cdf5a9fd2f180a85ff1b05c62e0d98f39863ce49a9698a14d372f94d76d6552449943e2d9f9fbeae10c90714e6e4eb7671282cbd7159f1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB8F.tmp
Filesize
660B

MD5
eac698fffb9465065e3e93fa5d4b6cd4

SHA1
12055ae4533ea04bbbddb16e2d00b6bf8e75b786

SHA256
2dc49e470bd71fdfef8b4abe2262c456fc29e1e88432585d5010ab65f5d1b2e1

SHA512
291fd199de9df7d0fa73187999ffe0975fabf04779c72bd8087d7b9219164f63c4eff2d20e682daba869e91c093aa1698cf5379ed0ab146175ea1b68b805ef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF99C.tmp.exe
Filesize
78KB

MD5
3627e4e163412c8ebe75269afff6754d

SHA1
3df5eb0cd3da7a433172d0022b966bb240064828

SHA256
6e8351779457b379690f5cfffd6ad74a0cae40299d7fd28cd11bedf29b3642c5

SHA512
19a991a32998f211cdf5a9fd2f180a85ff1b05c62e0d98f39863ce49a9698a14d372f94d76d6552449943e2d9f9fbeae10c90714e6e4eb7671282cbd7159f1f5

Download Submit
\Users\Admin\AppData\Local\Temp\tmpF99C.tmp.exe
Filesize
78KB

MD5
3627e4e163412c8ebe75269afff6754d

SHA1
3df5eb0cd3da7a433172d0022b966bb240064828

SHA256
6e8351779457b379690f5cfffd6ad74a0cae40299d7fd28cd11bedf29b3642c5

SHA512
19a991a32998f211cdf5a9fd2f180a85ff1b05c62e0d98f39863ce49a9698a14d372f94d76d6552449943e2d9f9fbeae10c90714e6e4eb7671282cbd7159f1f5

Download Submit
memory/960-58-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-69-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-60-0x0000000000000000-mapping.dmp

Download
memory/1904-66-0x0000000000000000-mapping.dmp

Download
memory/1904-70-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-71-0x00000000004F5000-0x0000000000506000-memory.dmp

Filesize
68KB

Download
memory/1904-72-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download