metamorpherrat | 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Size

78KB
MD5

f36c82d4adff5d05b7755ac1ce582be5
SHA1

9f5f2f973e6265a1558617182b3c0ed23ad98e5f
SHA256

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
SHA512

87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
SSDEEP

1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp14AA.tmp.exe

pid process

536 tmp14AA.tmp.exe

pid	process
536	tmp14AA.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

pid	process
1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp14AA.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp14AA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmp14AA.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Token: SeDebugPrivilege	536	tmp14AA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exe

description	pid	process	target process
PID 1768 wrote to memory of 1316	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1768 wrote to memory of 1316	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1768 wrote to memory of 1316	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1768 wrote to memory of 1316	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 1316 wrote to memory of 1812	1316	vbc.exe	cvtres.exe
PID 1316 wrote to memory of 1812	1316	vbc.exe	cvtres.exe
PID 1316 wrote to memory of 1812	1316	vbc.exe	cvtres.exe
PID 1316 wrote to memory of 1812	1316	vbc.exe	cvtres.exe
PID 1768 wrote to memory of 536	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp14AA.tmp.exe
PID 1768 wrote to memory of 536	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp14AA.tmp.exe
PID 1768 wrote to memory of 536	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp14AA.tmp.exe
PID 1768 wrote to memory of 536	1768	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp14AA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\af0tiygb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15E2.tmp"
3⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES15E3.tmp
Filesize
1KB

MD5
5ff031bedb8cb05b50afda0fe53136dd

SHA1
501b0e798e8acf9db80bdcfcb5d1f85111bee751

SHA256
575c8484e24272fef3eacdffb9d5e42c6203a997633d8368467fc81ca3d40996

SHA512
e8bbdea7f84515cd7bd00e7ba4d0e791fc34e59ff9e747a7d1382dd30c5534418901a0ff9944fcf0ba86ca61bad1a01d4e763f583a70cded1ebfabb720924577

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0tiygb.0.vb
Filesize
14KB

MD5
ba6835f3cd93b1dbdb8b05dc7f11f361

SHA1
6abc993af64aa6646a4571c0d3388946960d34eb

SHA256
edb60630815c54ef79a3fcce17be9a45d30497c53118bd3eb897ac30e148b059

SHA512
0f684b3509b721f5281395b6e43fb2f180319afe4547d606e68e11079ef0c24e70f7c94c14e82fadb93c9b475a361b8b1acc8c51025a868bdc4a2f28f0fcc109

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0tiygb.cmdline
Filesize
266B

MD5
d591e25bd56e6c8e0f156bc38e141a32

SHA1
acf96a7487f8872afce3dc993127ba5ffba59fe6

SHA256
7e142523010f35dfc65f9dc83cbe7eda423e89f83571c15015ea9b4b0b484835

SHA512
16c806a5c2726d9f38a9ee62c90a8beb84aebc2ed9ff1c0bae6bed6c32d145c6060aad4dacf6bfd0c6cd54fc5d1235a51829e17570d3b563fdc64d948544a375

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe
Filesize
78KB

MD5
783068f8d48d40b0b798ae30028ac262

SHA1
4eb29662ae7d23f3f33208992e514d4de0f425f1

SHA256
69766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57

SHA512
d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe
Filesize
78KB

MD5
783068f8d48d40b0b798ae30028ac262

SHA1
4eb29662ae7d23f3f33208992e514d4de0f425f1

SHA256
69766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57

SHA512
d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc15E2.tmp
Filesize
660B

MD5
fbd0c0d328ce41e9bf33d04f4314fdfd

SHA1
62558a3649b19f6d7850984f6bb8d146c40b2e19

SHA256
cdbee4085a143ee4cf89a9984edfa7adb5b3122d373e955f1bfc4203d44ae0d3

SHA512
a967ddbde4076a6fbc2b22c69cbf48fd54cae0c87c4fa570dce2ca373b5a7e0986fa76f56bf8682f040e938e3fe80b0f540f72cb657039af1e2babe770b1759c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe
Filesize
78KB

MD5
783068f8d48d40b0b798ae30028ac262

SHA1
4eb29662ae7d23f3f33208992e514d4de0f425f1

SHA256
69766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57

SHA512
d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167

Download Submit
\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe
Filesize
78KB

MD5
783068f8d48d40b0b798ae30028ac262

SHA1
4eb29662ae7d23f3f33208992e514d4de0f425f1

SHA256
69766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57

SHA512
d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167

Download Submit
memory/536-65-0x0000000000000000-mapping.dmp

Download
memory/536-69-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/536-70-0x0000000000AD5000-0x0000000000AE6000-memory.dmp

Filesize
68KB

Download
memory/536-71-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-55-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-68-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/1812-59-0x0000000000000000-mapping.dmp

Download