metamorpherrat | 33bfdf7cc9a7aeaae48dfd502ce3d7d9a4912b0968a985e9ecafd629a123138c

Analysis

max time kernel
150s
max time network
167s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d76292ec99b5d78861bab2187c494c80.exe
Size

78KB
MD5

d76292ec99b5d78861bab2187c494c80
SHA1

bc0c1af3ea0e1a80cc6751888f5c2228145fcb0f
SHA256

33bfdf7cc9a7aeaae48dfd502ce3d7d9a4912b0968a985e9ecafd629a123138c
SHA512

c88fc1bf663cb9b669b1d7e2a8ad9e09b9cea5556dd7a8a51668501b25689a00ac0ffa6d2d2ab73ea6bfa15c94cbe477fb61e1fe92adaf69ee04479e7aff172c
SSDEEP

1536:6CHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtZ9/8R11A:6CHFq3Ln7N041QqhgZ9/9

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2576	tmp8778.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe
2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8778.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe
Token: SeDebugPrivilege	2576	tmp8778.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3036	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	28
PID 2396 wrote to memory of 3036	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	28
PID 2396 wrote to memory of 3036	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	28
PID 2396 wrote to memory of 3036	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	28
PID 3036 wrote to memory of 2684	3036	vbc.exe	30
PID 3036 wrote to memory of 2684	3036	vbc.exe	30
PID 3036 wrote to memory of 2684	3036	vbc.exe	30
PID 3036 wrote to memory of 2684	3036	vbc.exe	30
PID 2396 wrote to memory of 2576	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	31
PID 2396 wrote to memory of 2576	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	31
PID 2396 wrote to memory of 2576	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	31
PID 2396 wrote to memory of 2576	2396	NEAS.d76292ec99b5d78861bab2187c494c80.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ls0rgrge.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES893D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc893C.tmp"
    3⤵
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp8778.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8778.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES893D.tmp

Filesize
1KB

MD5
79c6a387ba75d270f02e556780a2c587

SHA1
1fe0b5f064e8e4098f48a9b636fd3c4238e9cf3b

SHA256
5af24641e1627785310571522d404cf309962d6f584d8460ec3b0fd5dc0540c6

SHA512
c7adc797588639ad2e7c027e7d56e858d6cde096fd4c2617e973571597e9cbcfaa0b68de3fe306d263088c253dfdcbdc296a7e03c44d668035950b054d4adf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\ls0rgrge.0.vb

Filesize
15KB

MD5
2ef3fc2aef4c0dc72d3741a26427f722

SHA1
860d7ba69e42bae39ca78ba910b4242d977bf9d3

SHA256
ba61c8da3296f77c350d1c0ee0ccb9d373da4156431a3b44189c2129dc63c4e0

SHA512
089dd67d151f297ef32c49b54386e5640a7f7742048eefe9a2a90b9f520605d706a9325a0ac9ff37442c8107f5da4b19c9d73ae1408517f3830cfcefb3cac205

Download Submit
C:\Users\Admin\AppData\Local\Temp\ls0rgrge.cmdline

Filesize
266B

MD5
fc2483db775e21fefcb495c6bc761d9b

SHA1
11912e09585b8e79644827631ff01adecc8b54a3

SHA256
d083d7704f7644a23e3f8deafda288776b209d34a9b22e63584a0853a2be128d

SHA512
f43554f3d40b218b71cb66f388d7a90ac29ac5a79a7cd8beaa027224df5b35bbbd22229ce5e73347519568d9faaa79f864356ec280e0022a9c5543d805cbdda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8778.tmp.exe

Filesize
78KB

MD5
46167103cdc0e4e97c5a828444cd4db8

SHA1
88db81a9b0a8468cb046d424046373c2307d0c4d

SHA256
7c5f1f768043f1cd7ee54d60f6387c40f0a3a6e66b78252e440661f22f1c4908

SHA512
20b1d30809ced4dcd11f33a5a11e86328eec56d5ea3d2521d883d4e37f7fef09f11ad33503d753edf3421ebbd0d9ff0f4e72ed000dbf39df462358a0a8eac1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8778.tmp.exe

Filesize
78KB

MD5
46167103cdc0e4e97c5a828444cd4db8

SHA1
88db81a9b0a8468cb046d424046373c2307d0c4d

SHA256
7c5f1f768043f1cd7ee54d60f6387c40f0a3a6e66b78252e440661f22f1c4908

SHA512
20b1d30809ced4dcd11f33a5a11e86328eec56d5ea3d2521d883d4e37f7fef09f11ad33503d753edf3421ebbd0d9ff0f4e72ed000dbf39df462358a0a8eac1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc893C.tmp

Filesize
660B

MD5
c3ea4c8fa8c3f1c9bded97f25acd6bc2

SHA1
60e2433961890e3f2945a3b76b40a340e9bc7db2

SHA256
8045b2ac5fe99b87405715754bf6d7620e0e9e9cd7deaec7504bf4cc3ccc8570

SHA512
0883a498b8bca7570001b06f03a491a06d680a1abbeca20d5f2b319ef808d8acc20287a5968780dc3aad96331c96bc524777a59c656839cd3821ae99d9525738

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8778.tmp.exe

Filesize
78KB

MD5
46167103cdc0e4e97c5a828444cd4db8

SHA1
88db81a9b0a8468cb046d424046373c2307d0c4d

SHA256
7c5f1f768043f1cd7ee54d60f6387c40f0a3a6e66b78252e440661f22f1c4908

SHA512
20b1d30809ced4dcd11f33a5a11e86328eec56d5ea3d2521d883d4e37f7fef09f11ad33503d753edf3421ebbd0d9ff0f4e72ed000dbf39df462358a0a8eac1ca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8778.tmp.exe

Filesize
78KB

MD5
46167103cdc0e4e97c5a828444cd4db8

SHA1
88db81a9b0a8468cb046d424046373c2307d0c4d

SHA256
7c5f1f768043f1cd7ee54d60f6387c40f0a3a6e66b78252e440661f22f1c4908

SHA512
20b1d30809ced4dcd11f33a5a11e86328eec56d5ea3d2521d883d4e37f7fef09f11ad33503d753edf3421ebbd0d9ff0f4e72ed000dbf39df462358a0a8eac1ca

Download Submit
memory/2396-1-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-2-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/2396-0-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-22-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-24-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/2576-23-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-26-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-27-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/2576-28-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads