metamorpherrat | f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
Size

78KB
MD5

c81293ebc99a7ae9d05ce8578d706985
SHA1

8e2fca3d280fa5d20da7313a60dc73c32cdfcadb
SHA256

f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541
SHA512

295e5d1e6c46695bea6fb73249d8f92c72893ba5af76b782dcd0ded37df389e803c8812465053961d48665a0676b8697428ca5ed8dfd69e5f69b5cff8c04f5f8
SSDEEP

1536:KRWV5j+dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96jT9/Kf1Gpg:KRWV5jJn7N041Qqhg6T9/3m

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp81ED.tmp.exe

pid process

1096 tmp81ED.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp81ED.tmp.exe

pid process

1096 tmp81ED.tmp.exe

pid	process
1096	tmp81ED.tmp.exe

pid	process
1096	tmp81ED.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe

pid	process
1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp81ED.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp81ED.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exetmp81ED.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
Token: SeDebugPrivilege	1096	tmp81ED.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exevbc.exe

description	pid	process	target process
PID 1148 wrote to memory of 1640	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	vbc.exe
PID 1148 wrote to memory of 1640	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	vbc.exe
PID 1148 wrote to memory of 1640	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	vbc.exe
PID 1148 wrote to memory of 1640	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	vbc.exe
PID 1640 wrote to memory of 980	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 980	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 980	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 980	1640	vbc.exe	cvtres.exe
PID 1148 wrote to memory of 1096	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	tmp81ED.tmp.exe
PID 1148 wrote to memory of 1096	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	tmp81ED.tmp.exe
PID 1148 wrote to memory of 1096	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	tmp81ED.tmp.exe
PID 1148 wrote to memory of 1096	1148	HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe	tmp81ED.tmp.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ozijhnt1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89D9.tmp"
3⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89EA.tmp
Filesize
1KB

MD5
8ff3120db423ad83d9e57c8b20870b93

SHA1
4e7cba613ae784a4a0d70dea53eb0682feaf87b6

SHA256
65393a6827769552d7b3d1abaeac83d51fd38d4ae1b8840a42f68b062085acdd

SHA512
894cb1b9adb852eb3b99d426c69a4f378e778f7b33001c80546d3042c0689803ef1ecb93fab53d3a39c7a99db25ad7409c630849d4435403476d3d5f092b205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozijhnt1.0.vb
Filesize
14KB

MD5
025bada906c8c3001a6232499df55798

SHA1
9ef56c31a01997464fce984ba5b6fd7324b655d0

SHA256
65dccd8bdbcdf22b35bc3470965eaad77a8a50792dd777cb331095832d557c84

SHA512
5de7bcacdefc60ba52a6d0935e305771656becb123d651fa2acc72c867c3d2168c6e26cc30414bc06a7f03df9cdd1472a5fb67a8bcd5322334477e9b1a1867c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozijhnt1.cmdline
Filesize
266B

MD5
2cf51b0ea0cf97856ff7f9d809347c88

SHA1
49e9e40ad6fcd8de507a46e19caa9cd90253d444

SHA256
b435a8f26b8622de42ceb6699e248157fb2b928a2770b1c8de3aef04616cda19

SHA512
366850e1293baaa43d81bdaa8544ba5ab146afe97732d34300d851602f01a30276f6054d33153e46bdf8da0f0e1b9399fc7c7384b154d5a057bed29b42efde00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe
Filesize
78KB

MD5
879ffd45cdf2723fa3dc5e50ee4c60a6

SHA1
da4dd30739e5e285df46f8f62f564cb1959751dc

SHA256
5e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828

SHA512
984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe
Filesize
78KB

MD5
879ffd45cdf2723fa3dc5e50ee4c60a6

SHA1
da4dd30739e5e285df46f8f62f564cb1959751dc

SHA256
5e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828

SHA512
984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc89D9.tmp
Filesize
660B

MD5
58f96ca60bd0009bb1f45b847fb6820c

SHA1
bfafbc2617585c3d10b3d37d2dc4000fba4be234

SHA256
0e0c7f5bafda7b5356bdf3bd4c5f7ff1da585be428ed57be26b8f86e6da67cb1

SHA512
34a474ae13cfad9d5102d127463c79babe97bd846b10b8f34c87385c64411b30c4634d57f0d297dc005bf4b1cc5b165fefa64f7c7b96c0f8dd99c5210d50417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe
Filesize
78KB

MD5
879ffd45cdf2723fa3dc5e50ee4c60a6

SHA1
da4dd30739e5e285df46f8f62f564cb1959751dc

SHA256
5e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828

SHA512
984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238

Download Submit
\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe
Filesize
78KB

MD5
879ffd45cdf2723fa3dc5e50ee4c60a6

SHA1
da4dd30739e5e285df46f8f62f564cb1959751dc

SHA256
5e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828

SHA512
984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238

Download Submit
memory/980-60-0x0000000000000000-mapping.dmp

Download
memory/1096-66-0x0000000000000000-mapping.dmp

Download
memory/1096-70-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-71-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-72-0x0000000000A25000-0x0000000000A36000-memory.dmp

Filesize
68KB

Download
memory/1148-55-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1148-69-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-56-0x0000000000000000-mapping.dmp

Download