metamorpherrat | 62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb

General

Target

86ef2a66c72c1d358578f09b15ae4dc0N.exe
Size

78KB
MD5

86ef2a66c72c1d358578f09b15ae4dc0
SHA1

b84d8932f011b1f3a2b923af8ae2a2359142a4a5
SHA256

62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb
SHA512

7ca899f0df1d3e605f2a7443e578fa382f091b0e5fd6f70f1287bd4315210a6373fae6283cd8da664e556a8d4f68332ce7d10be0214654f252f3833902547fe8
SSDEEP

1536:Yy58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96b9/Qd1W2:Yy58/SyRxvhTzXPvCbW2UI9/8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	86ef2a66c72c1d358578f09b15ae4dc0N.exe

Deletes itself 1 IoCs

Processes:

tmpCCA6.tmp.exe

pid process

4500 tmpCCA6.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpCCA6.tmp.exe

pid process

4500 tmpCCA6.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4500	tmpCCA6.tmp.exe

pid	process
4500	tmpCCA6.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpCCA6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpCCA6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exevbc.execvtres.exetmpCCA6.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86ef2a66c72c1d358578f09b15ae4dc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCCA6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exetmpCCA6.tmp.exe

description pid process

Token: SeDebugPrivilege 1896 86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege 4500 tmpCCA6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege	4500	tmpCCA6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exevbc.exe

description	pid	process	target process
PID 1896 wrote to memory of 2872	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 1896 wrote to memory of 2872	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 1896 wrote to memory of 2872	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 2872 wrote to memory of 4644	2872	vbc.exe	cvtres.exe
PID 2872 wrote to memory of 4644	2872	vbc.exe	cvtres.exe
PID 2872 wrote to memory of 4644	2872	vbc.exe	cvtres.exe
PID 1896 wrote to memory of 4500	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpCCA6.tmp.exe
PID 1896 wrote to memory of 4500	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpCCA6.tmp.exe
PID 1896 wrote to memory of 4500	1896	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpCCA6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mnvkvisg.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA39CE6784D6436CB1418C36667E4817.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4644

C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp
Filesize
1KB

MD5
7b16cee4e08730bfecaebec3c5b009e5

SHA1
134e6d8ad4003244ea077faebfc60f6ebf1b6ed4

SHA256
25543f974acbc0ada31cf0fbd0ba5cdb238063f9b7c9c94326d4ab14184f44bb

SHA512
2ebcc43656f65d1cfc36879650d8ebd81c7773edbe3f60904c177d2cdc9d14e06f2de5b0f20f946ef292d1d488bbee93015861937ce8f6e2f955b584205e6b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnvkvisg.0.vb
Filesize
14KB

MD5
3bdeb93639f1c04d726d7934d9417405

SHA1
74829e5750c7341eda8286ca057a0bd0fe776d90

SHA256
f2de0bdd14e486740bf4a1f26e497b41dfee60adee8d526e81c420c59e6734c2

SHA512
c1dd215cc0fa14d7814afd475cbde9d63f9e1cce3c413ff784d4460ab0a8c6d82f347320c2e08b3136ef4c472a1ad4e54500b5ca4ea900b88d5f84170f01337b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnvkvisg.cmdline
Filesize
266B

MD5
9792e93a8cb543e96bf1e342a559769a

SHA1
71ac2ab34ce9236a47f9f28648f0c0dc89bcb899

SHA256
9f237f80dadf3cfd1a4415e1c7a4656563f6e388713af0b71474884ba5920b90

SHA512
0a359bf249f02b92a1a21739cf61da7f5d9eb4234f6b82a1f4a0a42cc7e7eb30f9a070502344a83117d3f92de7b5669ea64baf9aa8dd7eaa53f73b56833d0e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe
Filesize
78KB

MD5
b5b496689008fa599b16f7963a14eca6

SHA1
b8dc95a762467ac24cb19a0d158cb091d0574b5d

SHA256
2dee8a04fce6a96a31024f672030bad8b704f1f44deda4192f97fc5a27525ee8

SHA512
daf855fa0bfdc61e972027046eadd245f48e8efbc22c8bb04f25746fe6f5b72c35d97d26dce3e6192e1b5371f319747ca01f6fec56d03ec9a270653ccc63d953

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDA39CE6784D6436CB1418C36667E4817.TMP
Filesize
660B

MD5
ecf1160d1e3a7339779fa33ee4761cdd

SHA1
1c0ebd97e4e63176577c5d385b3d99371c7afcc2

SHA256
5ef8ca7416c3a5a7a015b70253941259ab14e723e6d54b0ea8647d05605a0edb

SHA512
2f9e58a5590e1425850b8de5bf4a1d9ea8b2d6b48c2c5b0e8167ad252b2c828f852370ee46bcf6619d4f44cb97ec002889ab8330e316e59cbddf3bd7abe43965

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1896-2-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-1-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-0-0x00000000751F2000-0x00000000751F3000-memory.dmp

Filesize
4KB

Download
memory/1896-22-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2872-9-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2872-18-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-24-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-23-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-25-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-27-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-28-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-29-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads