metamorpherrat | cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873

General

Target

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
Size

78KB
MD5

94e0cfa0f06092a53df124587a75f869
SHA1

3883232d684ad6ecbba631367a9afcc02f6ae814
SHA256

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873
SHA512

eb620cc884eceb228f623d3c85b79b4b86b668666b4733505ec827e76916d707feab4667c4a5af16508fe0226c06616e47afb99400eb530e5da5a9c7c6811d51
SSDEEP

1536:S4tHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt1d9/I1+o:S4tHY53Ln7N041Qqhg1d9/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

Executes dropped EXE 1 IoCs

Processes:

tmp84DF.tmp.exe

pid process

2156 tmp84DF.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2156	tmp84DF.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp84DF.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp84DF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exevbc.execvtres.exetmp84DF.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84DF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exetmp84DF.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
Token: SeDebugPrivilege	2156	tmp84DF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exevbc.exe

description	pid	process	target process
PID 4288 wrote to memory of 448	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 4288 wrote to memory of 448	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 4288 wrote to memory of 448	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 448 wrote to memory of 3420	448	vbc.exe	cvtres.exe
PID 448 wrote to memory of 3420	448	vbc.exe	cvtres.exe
PID 448 wrote to memory of 3420	448	vbc.exe	cvtres.exe
PID 4288 wrote to memory of 2156	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmp84DF.tmp.exe
PID 4288 wrote to memory of 2156	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmp84DF.tmp.exe
PID 4288 wrote to memory of 2156	4288	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmp84DF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
"C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9chtngop.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26BED73C93B24B448A8585971C8E4BC.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:3420

C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9chtngop.0.vb
Filesize
15KB

MD5
75b0ab4737bc86853db81ec96a956f7d

SHA1
e21ba688cce82bf9091074d70d3693d5d5197ac1

SHA256
3ea9c0d8ab3ea999a3d2143a53e64c026d5c2a477def941a15544abadb6710a2

SHA512
3e159ae6e9f979e38defc29d5f1f027cc20a3e63af93b388ce70d215450956faea254dc3337c0f4518ddec5c3cfb58c7e3b2bc688e32e90f9f181f359b1e3c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\9chtngop.cmdline
Filesize
266B

MD5
c9e66ff8a1b8b9ca87a3b3b2c4ad9a35

SHA1
4ac0a4aef9b455f813349aceb2ce7060e8328604

SHA256
4781a24fdcb8e4a084bb06a3cb3e32d639f7d87e92e7b584b31c2c9e250e4761

SHA512
432fc595f4ebfdfa905f1193fd52703f865235fea33ac6a91697a07dbc1fd00723de4435f4cd5401d733e352dfb2a809e3a0b9d7d86b892013c0ac99ee58d5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp
Filesize
1KB

MD5
1d3e72b1af9dd2dd50276d91776af7ba

SHA1
bfbce64a859ae678fad4723c03b25b2d1224954b

SHA256
ccff87870740b673ca1b47948f23fdac4b221e8ed208d31417648c4b1f9078dd

SHA512
2143fa3f098df0aacbc504de6c068f690a4d55d5f97eebf60f0949ae057fadbf1db01e233e764e0d40f2de0b240285dc529ade89093fd65981dbcd53b58d7bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe
Filesize
78KB

MD5
bf28f6ce2d96606d106d5374818dddaa

SHA1
50676a6d8a58663c6f978512f769aa443d326b0f

SHA256
3ee794340553f5b251b34a080aef8f6bc58b2a5eb86d7789de4fecc4e649e01f

SHA512
22ef123e08a5993e9d3cedc496cba61f662ac9da36c36918553df30f3c3a47db5e82215274e35cb979ffccffdea40c11b1fac921dcbeedd6a2ff33b7310a1b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc26BED73C93B24B448A8585971C8E4BC.TMP
Filesize
660B

MD5
b94b8d58c3f51de04e77b683b67ac039

SHA1
027cb73d63c718c1335261b01dec1b6e0092030a

SHA256
cc29d0887b6894057b1f63a45caecb46bbf3a12b9d78ce5cbd2aece32d4cd444

SHA512
a7c477d81028f43b36d76f8df0d2d7edee5d26b35f44365a859d7e38ad2aad69d51e89ba9f98ca1530b6f06bfb57f345445c6af328e0e9e580941351c5e79767

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/448-8-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/448-18-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-23-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-24-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-25-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-27-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-28-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-29-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/4288-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads