metamorpherrat | dfadb1a98835ff8b2f88c84c544d7e1a944b37ea2ff085b56c44ba0337185394

General

Target

7eb691f7e305078328210e594ec87900N.exe
Size

78KB
MD5

7eb691f7e305078328210e594ec87900
SHA1

f04b8a2ed0080f712290d3cd5651daebd44a5613
SHA256

dfadb1a98835ff8b2f88c84c544d7e1a944b37ea2ff085b56c44ba0337185394
SHA512

a2c8e5a4c3d4eec02ddcb7ce7bbaae9501474b8c916455c1dd21b3040e1a7a6b090e5866888493cb95b42d7b2fdbef04e39c1c4ac16e4c1adeb0538a6bea2f25
SSDEEP

1536:7RCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteW9/J1Ab:7RCHFq3Ln7N041QqhgeW9/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7eb691f7e305078328210e594ec87900N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	7eb691f7e305078328210e594ec87900N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpE474.tmp.exe

pid process

1664 tmpE474.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1664	tmpE474.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE474.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE474.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7eb691f7e305078328210e594ec87900N.exevbc.execvtres.exetmpE474.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eb691f7e305078328210e594ec87900N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE474.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7eb691f7e305078328210e594ec87900N.exetmpE474.tmp.exe

description pid process

Token: SeDebugPrivilege 820 7eb691f7e305078328210e594ec87900N.exe
Token: SeDebugPrivilege 1664 tmpE474.tmp.exe

description	pid	process
Token: SeDebugPrivilege	820	7eb691f7e305078328210e594ec87900N.exe
Token: SeDebugPrivilege	1664	tmpE474.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7eb691f7e305078328210e594ec87900N.exevbc.exe

description	pid	process	target process
PID 820 wrote to memory of 448	820	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 820 wrote to memory of 448	820	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 820 wrote to memory of 448	820	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 448 wrote to memory of 2828	448	vbc.exe	cvtres.exe
PID 448 wrote to memory of 2828	448	vbc.exe	cvtres.exe
PID 448 wrote to memory of 2828	448	vbc.exe	cvtres.exe
PID 820 wrote to memory of 1664	820	7eb691f7e305078328210e594ec87900N.exe	tmpE474.tmp.exe
PID 820 wrote to memory of 1664	820	7eb691f7e305078328210e594ec87900N.exe	tmpE474.tmp.exe
PID 820 wrote to memory of 1664	820	7eb691f7e305078328210e594ec87900N.exe	tmpE474.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe
"C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tpjf9_mw.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE639.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF45043D5C6154EFBA3AB218D37A66F26.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:2828

C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE639.tmp
Filesize
1KB

MD5
f29727508d1584f963c626973bc7b5da

SHA1
4c4dcff94ea0c7c069e38f7f7949273117c27438

SHA256
b55bdf06853a6823932c7297fa2e2f7a2f1cbbac560425f8c7e4f7b16e05b8ae

SHA512
e8cbb6e5d931db8abcbf271e1bfa7195f84667a7d107ab45ae0f6ddf35443d8ab7eb392f5fa7a2d52f5f5b4c63b594b0c110116e81a282c0d0366338e7addba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe
Filesize
78KB

MD5
fabe2560e4f277886e98f8654a63adae

SHA1
cb351b12b1d8302500466f74213bad1d9a7cf1f0

SHA256
75f1bc898b494ff4fd84ecac3e3a592619a4929dfafa7adb79fde37db4a80b42

SHA512
a6755cd5db63301511ace52ba7e3f562fa47f3d1fe419bd3515018010e450dd54946e702cd65e10332abc8dd5397ee2059304ea621373524302cf2a3f054790a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpjf9_mw.0.vb
Filesize
15KB

MD5
016038b7afd67607ccc40e206ea19c2b

SHA1
4c79b219fe86e36abd3798bbaa9decf6f8ff7f81

SHA256
d80cded9c711852a5729e055cfb15b4654ebe3e754ac3f6af8abecf90d839aa0

SHA512
1ccdc191b9e27f8e90a5a9d87002a5cde4f471dc3d54845f087ad4f514fe9ded7f4f8252abc61c50394a7a37253769c2bb1a32f780075f08910739bbb409caf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpjf9_mw.cmdline
Filesize
266B

MD5
f992695d8b65ed18fe5f0ed3feb55bd0

SHA1
f2726e7964fe94a668515c0699573ced94b57ba4

SHA256
ae1c3a30df978109ea35ec369a84ee1d39d9caf9da219cde477b7f71242964c0

SHA512
460dccced229008d33dccc9299743e7712e9872ef63c5b55f4499efe939b066c4b4aaeb91be490614e8f511f85623b0b90aaa982f4ffa68a383d38fbd96eea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF45043D5C6154EFBA3AB218D37A66F26.TMP
Filesize
660B

MD5
cf3c4312515d478d9dc2578ab7fd16d9

SHA1
3a055644aff164e8c8426bee7a7709efe8468f2d

SHA256
7c1fc5b904a6c81eadcfc5cc7714e6941239f26bf78b9394743d9b701d05e0a8

SHA512
aef69412353b75db8c17944eaeb5c01600ea318d95c58a576786e488f635783f810affcea1878892b38822ceab6a779f9887b4b87993cfaf99512293883e5420

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/448-18-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/448-9-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/820-2-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/820-0-0x0000000074C82000-0x0000000074C83000-memory.dmp

Filesize
4KB

Download
memory/820-1-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/820-22-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/1664-23-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/1664-24-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/1664-25-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/1664-27-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/1664-28-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download
memory/1664-29-0x0000000074C80000-0x0000000075231000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads