metamorpherrat | 82facf63fe64f92f5c0ad240a0525faf0561691dbb6decd790d49a5a8eacda47

General

Target

0ef77e7056e91bce5f9c70414b10c470N.exe
Size

78KB
MD5

0ef77e7056e91bce5f9c70414b10c470
SHA1

924c459c451a3bcdb8d10408dae05b80232470bc
SHA256

82facf63fe64f92f5c0ad240a0525faf0561691dbb6decd790d49a5a8eacda47
SHA512

1f66c51eee4cf01ab93ae3ae5eb272fdc024a572611843d0b1f2a94adfa566f27a8a88ca2abd61a89b68fafffc973874258532a8fe6feba1469917974f0d7f0b
SSDEEP

1536:csHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtM9/i182:csHYnhASyRxvhTzXPvCbW2UM9/E

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ef77e7056e91bce5f9c70414b10c470N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	0ef77e7056e91bce5f9c70414b10c470N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp971F.tmp.exe

pid process

2004 tmp971F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2004	tmp971F.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp971F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp971F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0ef77e7056e91bce5f9c70414b10c470N.exetmp971F.tmp.exe

description pid process

Token: SeDebugPrivilege 3720 0ef77e7056e91bce5f9c70414b10c470N.exe
Token: SeDebugPrivilege 2004 tmp971F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3720	0ef77e7056e91bce5f9c70414b10c470N.exe
Token: SeDebugPrivilege	2004	tmp971F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0ef77e7056e91bce5f9c70414b10c470N.exevbc.exe

description	pid	process	target process
PID 3720 wrote to memory of 1836	3720	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 3720 wrote to memory of 1836	3720	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 3720 wrote to memory of 1836	3720	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 1836 wrote to memory of 1296	1836	vbc.exe	cvtres.exe
PID 1836 wrote to memory of 1296	1836	vbc.exe	cvtres.exe
PID 1836 wrote to memory of 1296	1836	vbc.exe	cvtres.exe
PID 3720 wrote to memory of 2004	3720	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp971F.tmp.exe
PID 3720 wrote to memory of 2004	3720	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp971F.tmp.exe
PID 3720 wrote to memory of 2004	3720	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp971F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe
"C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfuiyvwn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7FE27E7971F4E48934DB59F2BA7A3B3.TMP"
3⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97EA.tmp
Filesize
1KB

MD5
20f72fd885eb43eeb2f3ff6cf65191b1

SHA1
08b186e16762ec4e1d05279ff9c995de25b8c4fe

SHA256
8abc176c146273e336cb4c16cc30350906eb4f9b79a9c9d1eedc4155b3ba9917

SHA512
124549aca89f79a6284ed39d4475403780bc78b531636dd2e50899b67df2f6929bdcf779f7dec7e1b4a269f9c52727ef3e87a9528bd01c8b01796b9e4517a34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfuiyvwn.0.vb
Filesize
15KB

MD5
f70b737535a2f824016b0998f59604e8

SHA1
3081bfe39eee97f00b046a77422d601da84a409c

SHA256
38618d7cd204ac3de250bc0016ebc0fe9a3c4e5592ffc7a66ddd8ce2f04b0e86

SHA512
69f37a7796d6422e6582083749ef4532f3a33d5fa994aa64f6a9dedd9406478e0effee4f88ba5a966623773cf32286d0dd6465ee5cac645b16b5f6393eb7e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfuiyvwn.cmdline
Filesize
266B

MD5
a53f6fc523a6159228945059654dbc34

SHA1
11b58d8da2f2ebc6fd534ce343eb535347f71a7a

SHA256
8251df0a530e69bb36a5b57d80ed040534faac308c45df3d9041a0e42372fc6c

SHA512
78792b4b574a3168773970c80a9cd594b06d13f3e069f41c054b88b488709fb97c82d88f82cb38ce3d7da4dced387a1b842af5c37d04efa196ac5c3de9beac54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe
Filesize
78KB

MD5
aca15e5b63d89dfbc0b41d089bbefe8a

SHA1
ed5afce791187b0277d6aedc2cde475bcfe489c7

SHA256
d7ef759a179ce9fa60daa5393221617e4a34ecb8783f82eda99fe82be3222f84

SHA512
3315774afcd2dbdd0db07cb02b62e74d22fdbc37368bfb301da00d50fca6e4e4033ca780565887f713f12cb1b814074857e360a8691747b58cbb6c94dc458156

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD7FE27E7971F4E48934DB59F2BA7A3B3.TMP
Filesize
660B

MD5
922b54e33eb3783edd463d32b0ad6f44

SHA1
a0be1a49f45c8e35aec02183147eeccb848c786b

SHA256
e486bb3336244c771520c9c9ef763fb518bc8fc3e1712ae37da70fc9db0a13a7

SHA512
2ae29898000e7bc898f1963d240b552ad92592cdd447ec18b8135523ce07500035df7aa9a8f8327b4861582e9e2185d7ceea63eb6820b9d132698595d3a5a8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1836-9-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1836-18-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-23-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-24-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-26-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-27-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-28-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/3720-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

Filesize
4KB

Download
memory/3720-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/3720-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/3720-22-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads