metamorpherrat | 07a77b0fc3132d39ee41ab4dbd1bbbdf15ffe8ebfe576cf914a1ec2132dcdcbe

General

Target

099cef853def114c5177030cdfe69c60N.exe
Size

78KB
MD5

099cef853def114c5177030cdfe69c60
SHA1

8b42410fb5e14ff02ff975ff7cf53250acdfb16e
SHA256

07a77b0fc3132d39ee41ab4dbd1bbbdf15ffe8ebfe576cf914a1ec2132dcdcbe
SHA512

0a252b31fe7f3073351fced73d3d7860c1fbbd47479f697237da1477792cf22fa3e7b0fcfcd8e7edb1d9ef8f3a17d461eaa3ce8dbbeba1e4a9ef48234df2b42f
SSDEEP

1536:tcPCHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qta9/Vs:2PCHFoI3ZAtWDDILJLovbicqOq3o+nao

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

099cef853def114c5177030cdfe69c60N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	099cef853def114c5177030cdfe69c60N.exe

Deletes itself 1 IoCs

Processes:

tmp8DB9.tmp.exe

pid process

3616 tmp8DB9.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp8DB9.tmp.exe

pid process

3616 tmp8DB9.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3616	tmp8DB9.tmp.exe

pid	process
3616	tmp8DB9.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8DB9.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8DB9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

099cef853def114c5177030cdfe69c60N.exetmp8DB9.tmp.exe

description pid process

Token: SeDebugPrivilege 4372 099cef853def114c5177030cdfe69c60N.exe
Token: SeDebugPrivilege 3616 tmp8DB9.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4372	099cef853def114c5177030cdfe69c60N.exe
Token: SeDebugPrivilege	3616	tmp8DB9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

099cef853def114c5177030cdfe69c60N.exevbc.exe

description	pid	process	target process
PID 4372 wrote to memory of 4104	4372	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 4372 wrote to memory of 4104	4372	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 4372 wrote to memory of 4104	4372	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 4104 wrote to memory of 2072	4104	vbc.exe	cvtres.exe
PID 4104 wrote to memory of 2072	4104	vbc.exe	cvtres.exe
PID 4104 wrote to memory of 2072	4104	vbc.exe	cvtres.exe
PID 4372 wrote to memory of 3616	4372	099cef853def114c5177030cdfe69c60N.exe	tmp8DB9.tmp.exe
PID 4372 wrote to memory of 3616	4372	099cef853def114c5177030cdfe69c60N.exe	tmp8DB9.tmp.exe
PID 4372 wrote to memory of 3616	4372	099cef853def114c5177030cdfe69c60N.exe	tmp8DB9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe
"C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lxm_m6ow.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61E4E44C28854032A0AA4BCD88095C0.TMP"
3⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8F7E.tmp
Filesize
1KB

MD5
4a61dd111e7a06b581a1dbb7bd3858ce

SHA1
811cc1cda92fd34f6fb747931125b9d02a1a6850

SHA256
5baedae6982dfd38b2bc2716564936082a969f9f3ed53d84d8647044f4e1093e

SHA512
92a585e693cba327d2f4e3cc0c0f5863a7f334f017c175c138193410e5683e27565b8f341041b6afbdff8f47bca54c6229406ab35a6e91cb9fe82d6e032bc771

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxm_m6ow.0.vb
Filesize
15KB

MD5
8d088629242a101fe108f32c82221373

SHA1
efe7603d27dbcc93a70bb8d6499ef509f47776d8

SHA256
806c8336ea89b9c01baa3a7d9cefda32a29c26bb223321b5c18f887b56d890cc

SHA512
12dab1416263a72171ad04331cd274c4c18c8f115f9c1a9d82dafb5c4b673ad38e7f87577cc65d78487c0658d42d6749ac3558a8281532a37011295e09bb3fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxm_m6ow.cmdline
Filesize
266B

MD5
7ed3aea56abcdc1775099062227bc8b6

SHA1
25e64b9b177e65a4b0adef2fd340cb75cb3476aa

SHA256
d98cf3ff7c4d2df34091bcc23977b4482bb31e5c984728058a51443fefbf1083

SHA512
5ea8ca43be673fb6265f0ec4885a17e52169f9502e600461a633b019dcdf8700c26087284b113b74dede3fdd6c035f4305441a50a39c09b8274403cf29280761

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe
Filesize
78KB

MD5
4ac5a491df161bc762b5170e8dd6ce13

SHA1
081cb529f697d5cc29b412ac8fe2e6d95e4c233b

SHA256
c5a218ffac96fd2e61b250d66dc45b72af2b41976afc18486cb8dc618c54627c

SHA512
946a19401d644e31b0cd47971de257daf26fb2384ddcf9f5e57cf7b5125f514a9d841628ea63893319d4b16c740a06b59aadae9db91507d82e83cd7ee263704f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc61E4E44C28854032A0AA4BCD88095C0.TMP
Filesize
660B

MD5
1523d569d20858f189549fdd9241876b

SHA1
e4183ee31370011b686e75e939569eafe402bbc6

SHA256
62b1a8592d30a43f2ad4250a9ccc44b032bf695202de794a4790e9e0c3f243d5

SHA512
26f8c6e9f6b87e7bf9b066cb01c3ce008cfc49d8afa8d620969615f11e8668b1df474dfb53f071470302d95784136f651553ef2c69358e44d6b6b7d5668e23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3616-24-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3616-27-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3616-26-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3616-25-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3616-23-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4104-18-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4104-9-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4372-22-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4372-2-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4372-1-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4372-0-0x0000000075472000-0x0000000075473000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads