metamorpherrat | aa8deb75c9f50318e05c4f7d9899d9ce5071da30d4f4e63070ec501bbb25651d

General

Target

087127699707ac6a2ed047227ed0c909.exe
Size

78KB
MD5

087127699707ac6a2ed047227ed0c909
SHA1

b587c245978c2a67cb934501a2f9b54adf6d2a39
SHA256

aa8deb75c9f50318e05c4f7d9899d9ce5071da30d4f4e63070ec501bbb25651d
SHA512

3fc626feb40f5c538a13b6e630639861c9d525bf6d01d28c8a75fd6a9de6aa819ed462efa5f0a908fb5b278b4b5d58ac0f19f2d17b11cd0ef9cb79e52efe7b86
SSDEEP

1536:Ac5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6E9/hb1yH:Ac5jS+E2EwR4uY41HyvYM9/w

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	087127699707ac6a2ed047227ed0c909.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	tmp498C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp498C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	087127699707ac6a2ed047227ed0c909.exe
Token: SeDebugPrivilege	2504	tmp498C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 4508	2944	087127699707ac6a2ed047227ed0c909.exe	32
PID 2944 wrote to memory of 4508	2944	087127699707ac6a2ed047227ed0c909.exe	32
PID 2944 wrote to memory of 4508	2944	087127699707ac6a2ed047227ed0c909.exe	32
PID 4508 wrote to memory of 2336	4508	vbc.exe	33
PID 4508 wrote to memory of 2336	4508	vbc.exe	33
PID 4508 wrote to memory of 2336	4508	vbc.exe	33
PID 2944 wrote to memory of 2504	2944	087127699707ac6a2ed047227ed0c909.exe	38
PID 2944 wrote to memory of 2504	2944	087127699707ac6a2ed047227ed0c909.exe	38
PID 2944 wrote to memory of 2504	2944	087127699707ac6a2ed047227ed0c909.exe	38

C:\Users\Admin\AppData\Local\Temp\087127699707ac6a2ed047227ed0c909.exe
"C:\Users\Admin\AppData\Local\Temp\087127699707ac6a2ed047227ed0c909.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuyenxuk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC2C69F6F2D447488F40DD11A557AAA.TMP"
    3⤵
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\tmp498C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp498C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\087127699707ac6a2ed047227ed0c909.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4A47.tmp

Filesize
1KB

MD5
0ff4878734bd02c6f7dbc4e202da31b1

SHA1
b676eecc013ea99012896bb2001447e4c2cba6d3

SHA256
a3a456cf196afcca3ba9ce52af2083a4d9a33dce3613499020670676c6bc9e34

SHA512
03da4e7d4b2c48e829d323598269db23ed332615e52467a9bab49671898aefcc77eb3f5901ad5f4e0b9ad26dc0ea01d636a88f8efb3cf8984a9d7cefd1b42e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuyenxuk.0.vb

Filesize
14KB

MD5
63cab02baa0794c1883db4029ee5d791

SHA1
caacbf24220841ac268d6453718aff8de76b6d9a

SHA256
51101c944894d2f4544db7a2eb7eea6ece847f70127ec6b96af1b9258c54db0d

SHA512
1e0a695e4d067639b1ed343b8b69549921b592722228cd95e73fdc933e740216bdb2e6be2486706c47a4df19a08a2643500eb05154f8877d9f7bc44e21321927

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuyenxuk.cmdline

Filesize
266B

MD5
b191d1cddf346fa899cce8cd855e6150

SHA1
15135d9137eb205f86160d839f3327405686149e

SHA256
5781cf07926da06c1e2abf442fc8b3655f1d91397709e18f759aeca2f5676950

SHA512
d5f6d536194d76c51eb420300b6c98246ee6aa5ba90dc704d560f215ce2afa3765f2810e6ab02458039259369cc76ed4ea881fd56a1b2c0e2a49e0c701f9d9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp498C.tmp.exe

Filesize
68KB

MD5
ee73ce7596fd6f0fcf86a391c09c4237

SHA1
88272f38f25c71d0503738bdfa1f4bc5fafd9c27

SHA256
d1325a2d6f839a117ecb80f895c9736c71de652ba5baeb6fdf200b722605a215

SHA512
26df05ef9e57b9df64b0e4cea2cab5ee1c1379895fd586a4924198216905b921104574cff04c9506ef428225c132b09553cd88eb38bdc322f7929eb8903d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp498C.tmp.exe

Filesize
70KB

MD5
5e7f2d4aa804b10bd40c6d5b63991356

SHA1
f5d695b49fa609d0d1f6bcf5ceb9e29363d0764c

SHA256
da7424b8ae5daea7c4dc17a3da07ee9405819b219227b36b93d1d1a4cdb9ef86

SHA512
b8d8fa627173c50164992cace2dc716d6840a1dbe0f1ede4e356ffa81302042878cb5b15fb06743f94f92ed67acfb37d8dccc20bd712ae6252482deec91fbca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC2C69F6F2D447488F40DD11A557AAA.TMP

Filesize
660B

MD5
dcd947aefc493cc2c9d47fe1b8f7d87c

SHA1
84b1c976202fc2bb5b80d25c891a9ec7d1fad248

SHA256
c0ffe1c74cb154bb8a3d3884fc512d8a8c812ce1c2a5a6fceaf1df1d1a880c39

SHA512
65a753d3ebe30a644214b825d2d84c3bfa4969c2e0645ed2b7b2ee23f830b0e06ca0baf7b48d099364a29670dc037e1f59bd8bc8310e13f7dbd6ee390df72234

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
32KB

MD5
4123b925e69d17ceeb97a7602bb29347

SHA1
9c1238cf33252ba5a31e2a13fb9edec8e268ca92

SHA256
9cc90f6dee9e7c856834c50a59557d84254569f4bdcf8b6e57602e30ac19fbe3

SHA512
100bd0ee78872b89ec329c213a9b7efc88e9bb9932fb5b1b707db434e05b0c600087a3854dc9242505fca5fc73b95e9ca6eaee6cf1e147b72760939cbd1527e6

Download Submit
memory/2504-29-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2504-27-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-28-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2504-22-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-24-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-23-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2504-26-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2944-2-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2944-21-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-0-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-1-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4508-8-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads