metamorpherrat | e36fa70a6012d67d2c14393d1261f99a51683a726f8f0cf2e99cf7d053a930b2

General

Target

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Size

78KB
MD5

7f8d9f9b10b2dd136c2703db3c2bf6c0
SHA1

f007132a9fb91d4ca34bc43576a9358fa98e9c41
SHA256

e36fa70a6012d67d2c14393d1261f99a51683a726f8f0cf2e99cf7d053a930b2
SHA512

a2471f982ecee25f36539c6298b7f65e67bc5030765cf3197759288b006020bb15feaf406dfe7b741d5dd280a603d372514548f31d58e2a7dd1e2dbd08400b27
SSDEEP

1536:dRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6e9/OO1cd:dRWV5jOSyRxvhTzXPvCbW2Ux9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

Deletes itself 1 IoCs

Processes:

tmp9B07.tmp.exe

pid process

1620 tmp9B07.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp9B07.tmp.exe

pid process

1620 tmp9B07.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1620	tmp9B07.tmp.exe

pid	process
1620	tmp9B07.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9B07.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9B07.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exevbc.execvtres.exetmp9B07.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B07.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exetmp9B07.tmp.exe

description pid process

Token: SeDebugPrivilege 4196 7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Token: SeDebugPrivilege 1620 tmp9B07.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Token: SeDebugPrivilege	1620	tmp9B07.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exevbc.exe

description	pid	process	target process
PID 4196 wrote to memory of 1776	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 4196 wrote to memory of 1776	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 4196 wrote to memory of 1776	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 1776 wrote to memory of 2656	1776	vbc.exe	cvtres.exe
PID 1776 wrote to memory of 2656	1776	vbc.exe	cvtres.exe
PID 1776 wrote to memory of 2656	1776	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 1620	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp9B07.tmp.exe
PID 4196 wrote to memory of 1620	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp9B07.tmp.exe
PID 4196 wrote to memory of 1620	4196	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp9B07.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwdnmriu.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48AB8E01C23444F79470CFAD0825679.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp
Filesize
1KB

MD5
b0cb3ab05ba18fac620b1d8b6227bd83

SHA1
c1dc329629c1c8dd2098f4d50a963dcd9d9b9a1f

SHA256
4bf1eab9575c02a34582be36ec9dbf74c1d5fe439a6e6ed2a58354b18d8e4948

SHA512
4d4fe459aadb873b32eddfeb8c89bf13d8fd74924f91ab84ea9f179dd02ee5874fd69c964bd7c5f327a02b3545c9416506fc567b1b60db0d44280aa2bdcab6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwdnmriu.0.vb
Filesize
14KB

MD5
ac9f72f291c03caded6cb38ccc8822f6

SHA1
5086a2d601781ddce0757193433e61bf24b5460f

SHA256
96c2feda235d92d83c1e9849f21a52152f7661fe6b9d05d197196f18c8394499

SHA512
1d7b75af63291c4700aa9d966ce38c6a73ab31ace7fa4cea7c2055fb65624d0c438561f49813709f98083ebe2171d235b172f0f7879e54b1e58debc4836aa63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwdnmriu.cmdline
Filesize
266B

MD5
a378c278c6aa712c0cf5754d90c6434d

SHA1
e842f3b899a8ab962b86128eae060facf1ae6ab4

SHA256
9e1f65ddf30f4bf0d699d145faa919bc33165f912a2ea6ed5c5950f956519959

SHA512
ae816d99095c22cf4c7fedebeaa3ce83ceb7005d96421cb43c045664aca75418de6c8aa400d8b37fab5ae38366712ae6bda7406e869e13f98f409c7bda662b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe
Filesize
78KB

MD5
3be1f25f15b248457d2378cacb5fda3a

SHA1
19c4e2bb51fbfb875d624b9a0442c969881fe899

SHA256
3b3715725ad3a1c58f17e523bb469c4230edb46d0c1d0ca04ae1311cad045033

SHA512
c0d76db6a2afa5ee58f4493fac54f534b5532f026fa5b314c4901d5b2b485cc0e456b6559b8324b1f520c3c534ccced09e30859de0d30286d192285dfdbbdeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc48AB8E01C23444F79470CFAD0825679.TMP
Filesize
660B

MD5
ee514356c04c317fdad1c26b0e3c2e6e

SHA1
b079b4f51db3bcf75e04b460a99e8aeb81223935

SHA256
a11137c873cb92e6dd058b858b1247313dacf258445c9636ec4d0781d5f336b9

SHA512
c9c6124c1d1be01994be9f213b2bd25f32651800c90bf23e39166930e1395889827e97e520340d1f7532bbb95bc7e826086f4bd71079185dd194a432040e67ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1620-23-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-24-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-25-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-27-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-28-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-29-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1776-8-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1776-18-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4196-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4196-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4196-22-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4196-0-0x0000000074C02000-0x0000000074C03000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads