metamorpherrat | 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a

Analysis

max time kernel
132s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Size

122KB
MD5

c9d37054a8372b74f0de27dbdb4b7436
SHA1

083bcbd248bcfe4735f3785cb789647dcf02e7cd
SHA256

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a
SHA512

4525e6acc3f4e118f315059f152a362dbed3a81e87fb46a1b6d388c53d9d547c0125db2a3c19814d559611e07150e5141d8d854a992d4e5a5a3f95dc7a1bdd28
SSDEEP

3072:+vCTDGgFwxgc0MwWvEsqfEcDemBXw6UoamxoF9CoTEgnShXAFKa2rMJt3cMtPRG5:lBgvoCRJvR36+dDZon9

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp713B.tmp.exe

pid process

1104 tmp713B.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp713B.tmp.exe

pid process

1104 tmp713B.tmp.exe

pid	process
1104	tmp713B.tmp.exe

pid	process
1104	tmp713B.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe

pid	process
1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp713B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\normalization = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.VisualBasic.Vsa.exe\""	tmp713B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exetmp713B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Token: SeDebugPrivilege	1104	tmp713B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exevbc.exe

description	pid	process	target process
PID 1480 wrote to memory of 1996	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 1480 wrote to memory of 1996	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 1480 wrote to memory of 1996	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 1480 wrote to memory of 1996	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 1996 wrote to memory of 1904	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 1904	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 1904	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 1904	1996	vbc.exe	cvtres.exe
PID 1480 wrote to memory of 1104	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmp713B.tmp.exe
PID 1480 wrote to memory of 1104	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmp713B.tmp.exe
PID 1480 wrote to memory of 1104	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmp713B.tmp.exe
PID 1480 wrote to memory of 1104	1480	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmp713B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
"C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z5b_vjce.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A01.tmp"
3⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A02.tmp
Filesize
1KB

MD5
47a2ebe7b6b1a24e8266603e6b6b6468

SHA1
1e51fa058471f9563d7c8a1a503565d4402efb68

SHA256
a182c7e44d06c17abc36e0bdd2c218350020484e438af198367586bf04f71689

SHA512
f9a2e29556a692fd52d9b815c023719f9de2bccaa8bbea23b9278eba823ed8684ed68a7262cb34642d11fb3d8738a738fdc636ec429cfef879c5b76e01829320

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe
Filesize
84KB

MD5
fa49fce306b22bf35ca917ce54c17e13

SHA1
8dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4

SHA256
a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55

SHA512
6a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe
Filesize
84KB

MD5
fa49fce306b22bf35ca917ce54c17e13

SHA1
8dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4

SHA256
a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55

SHA512
6a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7A01.tmp
Filesize
660B

MD5
7db878b144b045f56f5087caec8714d2

SHA1
e8af6fec8f35d8fd730d0528428352919dc09e70

SHA256
ac2136c6e469c6a193f779e3be92a3b678306cad6b24624df9d8a251082c91d6

SHA512
5a5aeeb44c816ff9361f3e6d95d725a632526e8ce7cb3f651cb34b79a0eef164902bbe867391672d7e2648c90319be05117418cc904552740df558a0fe3224f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5b_vjce.0.vb
Filesize
31KB

MD5
1598e1b8904a7e3ce9df9693f4a23274

SHA1
44a0031083b4358b9db073c44b38f36d06b32c42

SHA256
1124bb900509ddb1d15a161b9b9a3673135ace46332375c06a12c9fa6f020527

SHA512
5138c5846e14a4ab9a33c843813b7d76150470adc5e5065bebd8f19f8b0d7db3b3742970fad0039cc2d8fcde2d1e2796ed6204f80237aecaa62eb20d6e51cfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5b_vjce.cmdline
Filesize
266B

MD5
4bf8a41c87c80ab961714ddd9aaee617

SHA1
231469ab7f0c2af3c0e409ebefe974473a0e7730

SHA256
afe963e0e02f7285286d28476237097207614e255b289e59db29321ed6b480bc

SHA512
0e129958b04189d6f4e0126b56a097cd5c9956c7eb2b57d66a2a1ed993a482a6f9e7414010aa3ff3b55a01473beb39599813d941bffee8375f9135eb260bc3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
ab2ae34957da340df62e391e4c787903

SHA1
bbc36baa919c8bd54848f942b1649085fc0e7f69

SHA256
9dab1334b4275bd3c2b051f79cc66eb8854f808eea4892617668c634842fe669

SHA512
ff676f0ce26a2b867b2d37847fccdee6a25a99d3003490166673c8ba3048e79c50e9247ecd91287c638bfa42dc4e240df8ba076f6dc2b0a44b9f4fdc6c4941b3

Download Submit
\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe
Filesize
84KB

MD5
fa49fce306b22bf35ca917ce54c17e13

SHA1
8dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4

SHA256
a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55

SHA512
6a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe
Filesize
84KB

MD5
fa49fce306b22bf35ca917ce54c17e13

SHA1
8dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4

SHA256
a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55

SHA512
6a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1

Download Submit
memory/1104-66-0x0000000000000000-mapping.dmp

Download
memory/1104-70-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1104-71-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1104-72-0x0000000000BA5000-0x0000000000BB6000-memory.dmp

Filesize
68KB

Download
memory/1104-73-0x0000000000BA5000-0x0000000000BB6000-memory.dmp

Filesize
68KB

Download
memory/1480-58-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1480-69-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-60-0x0000000000000000-mapping.dmp

Download
memory/1996-55-0x0000000000000000-mapping.dmp

Download