metamorpherrat | 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e

General

Target

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
Size

78KB
MD5

01870f77e360b7650820645411825ca5
SHA1

9257e1e7abdb47b7514d4a140a885905be573dfa
SHA256

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e
SHA512

e116e8d947e2cc166e83e55ece6808bd674d62f8c077fb815955769b90d63897a5c380a745648160294058f94067b5d72f70cb61749605b39c925a4ccbfbff84
SSDEEP

1536:NtHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtW99/x1So:NtHY53Ln7N041QqhgW99/n

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe

Deletes itself 1 IoCs

Processes:

tmpE791.tmp.exe

pid process

4676 tmpE791.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpE791.tmp.exe

pid process

4676 tmpE791.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4676	tmpE791.tmp.exe

pid	process
4676	tmpE791.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE791.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE791.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exetmpE791.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
Token: SeDebugPrivilege	4676	tmpE791.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exevbc.exe

description	pid	process	target process
PID 4520 wrote to memory of 1832	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 4520 wrote to memory of 1832	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 4520 wrote to memory of 1832	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 1832 wrote to memory of 4032	1832	vbc.exe	cvtres.exe
PID 1832 wrote to memory of 4032	1832	vbc.exe	cvtres.exe
PID 1832 wrote to memory of 4032	1832	vbc.exe	cvtres.exe
PID 4520 wrote to memory of 4676	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmpE791.tmp.exe
PID 4520 wrote to memory of 4676	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmpE791.tmp.exe
PID 4520 wrote to memory of 4676	4520	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmpE791.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
"C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdclnuij.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE937.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7952F0CA5F174CA38182522C8916B7DF.TMP"
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
1⤵
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE937.tmp
Filesize
1KB

MD5
86040811e0bb1a5705ca7a207b4e61ed

SHA1
64dbf30c8a53cdc2e1a4797b4a725e80e48307b6

SHA256
5c66c92fd9ef22dc5834d65211d300dc9d9bf0b10b8b83268364a0bac472e741

SHA512
c1598e0d9e197245582ffcf03e514ce1d799344072868c5abc0e64d66047039371b4bb1bf14620f8c5028f8b761303fd155e77f9ca6cd31f3dea609052bc9f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdclnuij.0.vb
Filesize
15KB

MD5
936ca2acf0f8df295d413c9b02ef82e7

SHA1
7a37947042f7212e60971c33a557e6e88ea85ad9

SHA256
bc6690fc16f11a520c78792e3b07f90522daf3e0cdcac95cadf1ea059db3e379

SHA512
d903cfe101b10bd75ff7f5563b22363c8c3ab74dddacc43ba1818aa957fff196602bc2d0be7498525dba7c94888b7a304d5ea8d5993ad737bd0c00ed32047131

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdclnuij.cmdline
Filesize
266B

MD5
178129b8f849b75e3603dc159709f631

SHA1
f89405c9d4ce381a5875bd5ad2b6ee2a1223bc57

SHA256
0c91a67c08696431d6528de12fa9ed7f08a015e54e87d2279ae8ba8929e94728

SHA512
fc6b66dbe6587afca9fec38b129f79ce3c3d1450d673c8fd2b072e5f681175822b9a6b692a3dc6036d4b2f91399d32367f96da3f126500f79231cc9deb94f7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.exe
Filesize
78KB

MD5
7df41233cfc3755489ea77fd1c7fd763

SHA1
a6b2b70ee028888b38e04247c822b55284ec105f

SHA256
5cc91b6c7ac65ce3b509bb18551c846e38ee1fef59a753662a2d804819910ffa

SHA512
e774c8bedd2c89877810b068e99ac729be59c97e338fbca17017d5498da8dd87c71c0f390a71bfe78d0fd7a9516d398eac05bd360716130706dd4407e12a06b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7952F0CA5F174CA38182522C8916B7DF.TMP
Filesize
660B

MD5
c901c9f8646711ceeff2a5135875b323

SHA1
8ea32f5a4c3dda597ff8745fcc91ba7d85e74c13

SHA256
1fe14aecb174fbfa74a0b8c4f0e9ccadb861a653b34e438c57e23ad6b193e1c7

SHA512
4960c1afe53260e9ff283954f2e3131fe4f9a9f234f9d84114a0268d2a35fe1f95da2f97d4b488e0da698c07f68659cd997e5dd347bd160acd706dd93235a079

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1832-18-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1832-9-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4520-2-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4520-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4520-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

Filesize
4KB

Download
memory/4520-22-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-23-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-24-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-26-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-27-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-28-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads