metamorpherrat | 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb

General

Target

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Size

78KB
MD5

f36c82d4adff5d05b7755ac1ce582be5
SHA1

9f5f2f973e6265a1558617182b3c0ed23ad98e5f
SHA256

04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
SHA512

87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
SSDEEP

1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp8794.tmp.exe

pid process

4816 tmp8794.tmp.exe

pid	process
4816	tmp8794.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8794.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8794.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmp8794.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Token: SeDebugPrivilege	4816	tmp8794.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exe

description	pid	process	target process
PID 3708 wrote to memory of 4440	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 3708 wrote to memory of 4440	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 3708 wrote to memory of 4440	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	vbc.exe
PID 4440 wrote to memory of 5088	4440	vbc.exe	cvtres.exe
PID 4440 wrote to memory of 5088	4440	vbc.exe	cvtres.exe
PID 4440 wrote to memory of 5088	4440	vbc.exe	cvtres.exe
PID 3708 wrote to memory of 4816	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp8794.tmp.exe
PID 3708 wrote to memory of 4816	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp8794.tmp.exe
PID 3708 wrote to memory of 4816	3708	HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe	tmp8794.tmp.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\83yuyykm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8959.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB91B7C89CE0401CA65F72A10B9D34D.TMP"
3⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83yuyykm.0.vb
Filesize
14KB

MD5
16381f0c010ff90456085ad2f546130c

SHA1
08501937f96a5ffddbb0ffc8c209166e613bcafd

SHA256
7d79b6678acbec389a23a4ff45dc314e0ec741036387bae63b842c739d24c3c1

SHA512
00778a6d118ca4ad7403e7a71cce83d2a43a549365cd41c59d93301794b98147a991ac01a61874619d796ace281263e2129912e971d11040d5c77dbf4b2f6b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\83yuyykm.cmdline
Filesize
266B

MD5
4ae00c3e7844bb86cf5e58f87d5a21ab

SHA1
0bcacfa47878f59ed42d71cbbc1e294884af2d08

SHA256
00246535f15967955cdbaf41e61bf566e1b334a6338e7f31c1338606f00fa902

SHA512
52e9d56145826f1bfa5a517e321125c0a10597f49ba1c7df16291e6d424f52e0cfaae5c6b276987c68657a001727cd300baf7290380eb378a71760dd0003150a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8959.tmp
Filesize
1KB

MD5
985530b9b1074272bafd87c0c0434851

SHA1
c3e52529d0940d4e75f1e84e8a9ef66cc92b8e74

SHA256
e12679d2b246c3fb5103ce90db8eceebc9ba8413a87a963c07d02b887faec17d

SHA512
5873ce405ae368635472f37cb2b0f87fe9305bfbb3b9f46e574c4b8baeff938005c2dbd45a283dea13721d3b2a034392c2f52efec113c126b349233d69e52ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exe
Filesize
78KB

MD5
1b0cb20996cb788f36faecda660795c8

SHA1
2353e4cd0c68f88fdc1e676d44bb34f8a9e2f13b

SHA256
7a90934ee04b8c84e23814ea9e6fafa5f23dab709905a968a3deec3b2c917eec

SHA512
e3f851633105c17fad679dab3754c6105030195784a114cdeb0b799f307e7ca6754e5d6709ad2b26f3b4916c83597c802e5959553aa4a382c126ba9f7c5eb708

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exe
Filesize
78KB

MD5
1b0cb20996cb788f36faecda660795c8

SHA1
2353e4cd0c68f88fdc1e676d44bb34f8a9e2f13b

SHA256
7a90934ee04b8c84e23814ea9e6fafa5f23dab709905a968a3deec3b2c917eec

SHA512
e3f851633105c17fad679dab3754c6105030195784a114cdeb0b799f307e7ca6754e5d6709ad2b26f3b4916c83597c802e5959553aa4a382c126ba9f7c5eb708

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB91B7C89CE0401CA65F72A10B9D34D.TMP
Filesize
660B

MD5
4571e41d91dfe7bea8c7dad5d1b2d587

SHA1
c4f7a251824e7622397cfce7be33b8e9a85c85a5

SHA256
4c6e918c3061a4d4ac1ef6e01d3b71295965f4cc8bd1a5dea50f60816aeacb66

SHA512
d3167fbf459882531ff443740c9b7defec59c2b58f238f293e8436b12a0fe9f11b12a755448ba45375c212eae4962300790d0cb5cf98d0df4f04b4a6db2b49c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3708-132-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/3708-143-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4440-133-0x0000000000000000-mapping.dmp

Download
memory/4816-141-0x0000000000000000-mapping.dmp

Download
memory/4816-144-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4816-145-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/5088-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads