metamorpherrat | 648d448c21c568b2c47e94074faa94ba96ea969bca01683af676fb46e536e26c

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
Size

80KB
MD5

a56ba5c6af0cb8bf872e208af0948cf0
SHA1

ac1d7b08d4e44e38c01b9e8b38a3f7aa080df541
SHA256

648d448c21c568b2c47e94074faa94ba96ea969bca01683af676fb46e536e26c
SHA512

38d1624b62bc7cfbf730550c66c4906186738ddbd0bede6a557446f24bd06c8680b81deb31b5caa1ecdf6eaeab0c75d95dcff3fd316941190f2656b1ff59b853
SSDEEP

1536:8PCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtK9/p1edp:8PCHs3xSyRxvY3md+dWWZyK9/Cp

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2432	tmp77EE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp77EE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
Token: SeDebugPrivilege	2432	tmp77EE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2716	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	28
PID 2888 wrote to memory of 2716	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	28
PID 2888 wrote to memory of 2716	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	28
PID 2888 wrote to memory of 2716	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	28
PID 2716 wrote to memory of 2604	2716	vbc.exe	30
PID 2716 wrote to memory of 2604	2716	vbc.exe	30
PID 2716 wrote to memory of 2604	2716	vbc.exe	30
PID 2716 wrote to memory of 2604	2716	vbc.exe	30
PID 2888 wrote to memory of 2432	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	31
PID 2888 wrote to memory of 2432	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	31
PID 2888 wrote to memory of 2432	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	31
PID 2888 wrote to memory of 2432	2888	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ty3ukys.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7936.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7935.tmp"
    3⤵
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\tmp77EE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp77EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ty3ukys.0.vb

Filesize
15KB

MD5
05d71101d042a55ca80f77bec3f02b92

SHA1
6969190a771dc9379f1f9ef8cf9e41a3981dafdf

SHA256
16ebc6ca363a499465d9698123fb12c6a87a0053bb82ef08dd659d4ac5a5bd88

SHA512
544fc422c31418b5a5844b05029d03e695d128c8ead54a64cd787dc0bb55ba55bcbf37755efc2d47048fa38dc4d4710b5ce66211b2adabbd13f225d5145ad41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ty3ukys.cmdline

Filesize
266B

MD5
a0a567dfc1127e16bfaeb31bc3516ca0

SHA1
086c825646ac67ca4212f7a9b140978da29b32a5

SHA256
177e82a1bb338b39e3048885fdc2d7901704638f8580a1da7dc308e7c2c476d7

SHA512
4ebb0480196dce2a34eb3585ec69508bd4c9f6427611ab61578841b0b7885efe0ad65f480e0a0850fc0fef5f74af3c47fabd0e9a6329683f92db1971d465bc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7936.tmp

Filesize
1KB

MD5
4678440b91fcabf73f19d4bd62a19a8d

SHA1
518e928c2ba69fb6795347905950d8357454d64b

SHA256
856a6016f0ba2dc97d87efaf29edc44b96aaeb38eaef3dcc6de7ca41065a81e4

SHA512
b44c57cd2dbbb81b1775fb779214e7f67f37391ff0bf4d7891eb28578d0a69c3364d2e42505d99ee0306bb448e844226a15b9011a85726c91645b5409470bab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77EE.tmp.exe

Filesize
78KB

MD5
35fa7d9f7bc5bb092fda775ff9146fbf

SHA1
48b34b4d85324f0bfb0b74a4a93aebd2315f747d

SHA256
1e61f8f9523f5f2f1bd79b0e9e7820c68923fea12f8cdb6f606af78ca9dfaaae

SHA512
eb554e9564898ad99deec3bd4d0c0ccd7bd74e07ef5eebb54862da3ecd7ff09c2dc84059870a0253c4c4fca7d849503f58853dc198675493cc82b610d56381ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77EE.tmp.exe

Filesize
78KB

MD5
35fa7d9f7bc5bb092fda775ff9146fbf

SHA1
48b34b4d85324f0bfb0b74a4a93aebd2315f747d

SHA256
1e61f8f9523f5f2f1bd79b0e9e7820c68923fea12f8cdb6f606af78ca9dfaaae

SHA512
eb554e9564898ad99deec3bd4d0c0ccd7bd74e07ef5eebb54862da3ecd7ff09c2dc84059870a0253c4c4fca7d849503f58853dc198675493cc82b610d56381ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7935.tmp

Filesize
660B

MD5
570542782c7cb821b576805fc5215dfa

SHA1
63f452ad9cef319e20c38f071d147aba9597de61

SHA256
5965aa961ee9e43a641535ca7dd63d7f597fd06d4c8a726eec6ca57d94df1fc8

SHA512
da1db4ee1d2304ce25912ba9178bf93143036349c46c1fbb89b0ba098c7609c13e4c775e2b75789307412229a544fb5757e5b5239b0f522f226160bd86aa24d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp77EE.tmp.exe

Filesize
78KB

MD5
35fa7d9f7bc5bb092fda775ff9146fbf

SHA1
48b34b4d85324f0bfb0b74a4a93aebd2315f747d

SHA256
1e61f8f9523f5f2f1bd79b0e9e7820c68923fea12f8cdb6f606af78ca9dfaaae

SHA512
eb554e9564898ad99deec3bd4d0c0ccd7bd74e07ef5eebb54862da3ecd7ff09c2dc84059870a0253c4c4fca7d849503f58853dc198675493cc82b610d56381ca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp77EE.tmp.exe

Filesize
78KB

MD5
35fa7d9f7bc5bb092fda775ff9146fbf

SHA1
48b34b4d85324f0bfb0b74a4a93aebd2315f747d

SHA256
1e61f8f9523f5f2f1bd79b0e9e7820c68923fea12f8cdb6f606af78ca9dfaaae

SHA512
eb554e9564898ad99deec3bd4d0c0ccd7bd74e07ef5eebb54862da3ecd7ff09c2dc84059870a0253c4c4fca7d849503f58853dc198675493cc82b610d56381ca

Download Submit
memory/2432-24-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2432-23-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-25-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-28-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2432-27-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-29-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2888-0-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-1-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-22-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads