metamorpherrat | d57f156c23c0429dc51ccd8d1dfbedb700466ec89ee03c8722bad9df9c182774

General

Target

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Size

78KB
MD5

376dedca7b965f4e92d716915589dfe0
SHA1

441da49f039e2376cd9d6054bce8ad8f9613239c
SHA256

d57f156c23c0429dc51ccd8d1dfbedb700466ec89ee03c8722bad9df9c182774
SHA512

cb80adaa04be365626feeb046ca411600f92c23700ecb98cdb281cd1e2f181451459278a0bc55ed5f6bd17f51a79b454957832f854352044273ddf838435be77
SSDEEP

1536:1PWV5qLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6h9/op1pT:1PWV5UE2EwR4uY41HyvYZ9/o

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4E8D.tmp.exe

pid process

4928 tmp4E8D.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4E8D.tmp.exe

pid process

4928 tmp4E8D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4928	tmp4E8D.tmp.exe

pid	process
4928	tmp4E8D.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp4E8D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp4E8D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exetmp4E8D.tmp.exe

description pid process

Token: SeDebugPrivilege 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Token: SeDebugPrivilege 4928 tmp4E8D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4928	tmp4E8D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2424 wrote to memory of 4344	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 2424 wrote to memory of 4344	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 2424 wrote to memory of 4344	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 4344 wrote to memory of 4944	4344	vbc.exe	cvtres.exe
PID 4344 wrote to memory of 4944	4344	vbc.exe	cvtres.exe
PID 4344 wrote to memory of 4944	4344	vbc.exe	cvtres.exe
PID 2424 wrote to memory of 4928	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp4E8D.tmp.exe
PID 2424 wrote to memory of 4928	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp4E8D.tmp.exe
PID 2424 wrote to memory of 4928	2424	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp4E8D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\baon0sci.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49752CAB734C71B2413CCC361C1772.TMP"
3⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmp
Filesize
1KB

MD5
c5e44bae0a92c1074a2b5e8e0d25d4eb

SHA1
fc319e88adb7eb4488dea1fa9c11830b9f47131b

SHA256
9065b15be55ce3acd8173e3f07ed7e003b964d0cf254db1b0a938f19681ad014

SHA512
f41f1e84b18bfd12f08400e6e80721fe98b5ca484004ebae657e7372f23e7dd2ab220f034fb4377b548eacb28c576a38b146fa29ac63003b76db3a7a4d2304ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\baon0sci.0.vb
Filesize
14KB

MD5
9b5193cf19390505cb0c708904354856

SHA1
6c604b36c884d62a2cadfe6b1abcde1fc87dc472

SHA256
99914b9a5aa75577c532dea456e5d78a06cd603c9303a72ed8327b07e560bc0a

SHA512
abec3203c4d2b02f411df7e4656665a3535bcb581626dea3e5ab4c1d0a1c1069f696b9bfde4da9f6db0ae691ef4f6e8fff93d079f7b81adca5888821267a72ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\baon0sci.cmdline
Filesize
266B

MD5
5e4ed4224e9f8d239600bd7b73e49c10

SHA1
2d8e6f5917966237588b79094cca3fc91ea73edb

SHA256
68545184e768ca8687937f48b83e7e14454506d07a60e2e0c69a318685c78561

SHA512
ca56d319d33fcb5955b6d7d80bc4f510ea62784ca20982e43ca57ff8eee0f9c266ee6536c8a1d70143a30eca755c18a4a2783327594af1f403295b917b328bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.exe
Filesize
78KB

MD5
a4fa08834c0042f2beca3fc22dcc7f31

SHA1
14901744de443e014abba17729e9a841335246af

SHA256
3b45b9dda270c249a49fdd19488771e19a51af17a3d4b406f57371d1cf189e0e

SHA512
800abb29dac42a6f60714553c3b5225572cb756bbb05d1f9956012a45ced99bb4cebc0c47d1e866d0509ce314f4ae62f09fff54bb40c34374713e0af59b5f0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC49752CAB734C71B2413CCC361C1772.TMP
Filesize
660B

MD5
4155832afb6f682718d8df9bfae3a8f4

SHA1
e72d1dd5d438486c80c6b2c0027bb96f407edcf5

SHA256
714dc712edf01de3efb5b4a039c8f390fd0ec639f2e436565334afa3c319d5ec

SHA512
1d91435a33201f9dd57f1463d7a6b852e363defc5a976922a9cf191dd0af785037bf67a425dc380bf0a1100d88bf4812419497a9afc81e4757653d3b7ffb2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2424-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2424-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2424-0-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/2424-22-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-8-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-18-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-23-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-25-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-24-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-27-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-28-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-29-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads