metamorpherrat | 9b3c77746f83e88861eb9c49daa6ae0a2b9ba72be1af304ec41af0323916baca

General

Target

9c94e73b4bda708da298223ff697bcf0N.exe
Size

78KB
MD5

9c94e73b4bda708da298223ff697bcf0
SHA1

1188d1392f1374e786ce63532da824a1b7ed1516
SHA256

9b3c77746f83e88861eb9c49daa6ae0a2b9ba72be1af304ec41af0323916baca
SHA512

bdd11ab04d8ea65fc37a89442150ebcdfe106c68b043d2e029744906142a874a9bb66b475c6c8b3fcd0ce81b3060d517da7e449fd05cb07f7e243bbe1b2ff657
SSDEEP

1536:+XPy5QAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6N9/T1aw:GPy5QAtWDDILJLovbicqOq3o+n19/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	9c94e73b4bda708da298223ff697bcf0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2480	tmpB7E6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB7E6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c94e73b4bda708da298223ff697bcf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB7E6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3732	9c94e73b4bda708da298223ff697bcf0N.exe
Token: SeDebugPrivilege	2480	tmpB7E6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1128	3732	9c94e73b4bda708da298223ff697bcf0N.exe	84
PID 3732 wrote to memory of 1128	3732	9c94e73b4bda708da298223ff697bcf0N.exe	84
PID 3732 wrote to memory of 1128	3732	9c94e73b4bda708da298223ff697bcf0N.exe	84
PID 1128 wrote to memory of 2996	1128	vbc.exe	86
PID 1128 wrote to memory of 2996	1128	vbc.exe	86
PID 1128 wrote to memory of 2996	1128	vbc.exe	86
PID 3732 wrote to memory of 2480	3732	9c94e73b4bda708da298223ff697bcf0N.exe	89
PID 3732 wrote to memory of 2480	3732	9c94e73b4bda708da298223ff697bcf0N.exe	89
PID 3732 wrote to memory of 2480	3732	9c94e73b4bda708da298223ff697bcf0N.exe	89

C:\Users\Admin\AppData\Local\Temp\9c94e73b4bda708da298223ff697bcf0N.exe
"C:\Users\Admin\AppData\Local\Temp\9c94e73b4bda708da298223ff697bcf0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m2_afy4p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB90F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5568250384BC46BF8FBC8EBC2EF56953.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\tmpB7E6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB7E6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9c94e73b4bda708da298223ff697bcf0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB90F.tmp

Filesize
1KB

MD5
c3bfa29787fb9b4a09cc91fdb09a4a23

SHA1
7330b6bc00dbe6bdf6b31b849c6eec2d0de8f15c

SHA256
252316f9bc684bd461db1b5337cde7572e4cd5b15db13b39efefacffec540455

SHA512
dfbd138d86361635a759a02bd764f54d8754f47d388be643366a1a7cdbfa5ad1d1e6f9d12a2e77c8cf519d0ee3372240b3c731eb37b628339c509f987f538217

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2_afy4p.0.vb

Filesize
14KB

MD5
67e8a0fc671e2ca8e163fcf06c8f8a16

SHA1
dc4bf3e6f62bcbd2b42af1701af5d029aced4fb8

SHA256
cd7ebe13e78514b5c9faced6cd3ae00cb7b33c6a6b2807decab8089201681196

SHA512
348a51d04ab455d61e297ea193b4976ef4a06d2b958896c78fcc8f336305e409bb88e7688be8c8892333bd51848bcfd9cdf85c26d3d55d81f0c7ddf038424607

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2_afy4p.cmdline

Filesize
266B

MD5
a7f4e277de34528d26219a4c22815910

SHA1
4f39502f4789318727a951c1e100cc6c11d27902

SHA256
bf8be079561ca18a50cb2d50b0d1b58ec1af33ab5f5547537d5f0a3f60d22294

SHA512
b6bc3716df410ddf140fd73855a70efb531ccb52d88b304ebce123aa21c9d9afacc90efef723ff562ee63877825eedc5c6b43eef81882906451adfed623d059a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7E6.tmp.exe

Filesize
78KB

MD5
be4dc6dc75185ae3438725e91aa9b7a3

SHA1
f75dfc1ae5456b1d50a0473cd7ccc46544c75765

SHA256
81531d45abc07e01921be378bd448ae956547ea651fa3861d130c184eaff5cde

SHA512
476c477a389755a5a1250871c15b06adcf85bdf4e44571c3e7057f5731af84494010fc444038af5945a9b361c1424d75ab314de799a99c92120b2f8c611c9ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5568250384BC46BF8FBC8EBC2EF56953.TMP

Filesize
660B

MD5
f729906b9df2b89e14c971bc0c17f2df

SHA1
feb035506c550dc92f807b028036983718136053

SHA256
faf8b82df4be244316169197328c846b10403db58269069127416c4a18a991f4

SHA512
aa3d5430cc45e82e7fa79a622440c28feb4e1699f1510d1ef44ec67d90c401f939c38afdbe50eb1e9450672a6f5da358d514be4ea92bb1522107cefe8fc0a8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1128-18-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/1128-9-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2480-23-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2480-24-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2480-25-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2480-26-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2480-27-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3732-2-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3732-1-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3732-0-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/3732-21-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads