metamorpherrat | 9c352ce735a518535e87d668536489d314cce09890367cd30ddc9c59800c0a4b

General

Target

2165e81e47591004b13a82cbbb7cbde0N.exe
Size

78KB
MD5

2165e81e47591004b13a82cbbb7cbde0
SHA1

9d60b3e8a87966be1abda58f975d72b1c93bfc12
SHA256

9c352ce735a518535e87d668536489d314cce09890367cd30ddc9c59800c0a4b
SHA512

dd7f0b6f68349b661fe433568715c8c8a863b613c61d66bdd029989644290371aba9fafba9c92a50632591bbcdbbbeadd75e05d0689b105345bed6e7e788cde4
SSDEEP

1536:0V5jSpXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6U9/mG1ko:0V5jSZSyRxvhTzXPvCbW2UM9/x

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	2165e81e47591004b13a82cbbb7cbde0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	tmp609E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp609E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp609E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2165e81e47591004b13a82cbbb7cbde0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	2165e81e47591004b13a82cbbb7cbde0N.exe
Token: SeDebugPrivilege	2020	tmp609E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2860	5000	2165e81e47591004b13a82cbbb7cbde0N.exe	84
PID 5000 wrote to memory of 2860	5000	2165e81e47591004b13a82cbbb7cbde0N.exe	84
PID 5000 wrote to memory of 2860	5000	2165e81e47591004b13a82cbbb7cbde0N.exe	84
PID 2860 wrote to memory of 2468	2860	vbc.exe	87
PID 2860 wrote to memory of 2468	2860	vbc.exe	87
PID 2860 wrote to memory of 2468	2860	vbc.exe	87
PID 5000 wrote to memory of 2020	5000	2165e81e47591004b13a82cbbb7cbde0N.exe	90
PID 5000 wrote to memory of 2020	5000	2165e81e47591004b13a82cbbb7cbde0N.exe	90
PID 5000 wrote to memory of 2020	5000	2165e81e47591004b13a82cbbb7cbde0N.exe	90

C:\Users\Admin\AppData\Local\Temp\2165e81e47591004b13a82cbbb7cbde0N.exe
"C:\Users\Admin\AppData\Local\Temp\2165e81e47591004b13a82cbbb7cbde0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gplvuind.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6189.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC122E9D4713C4F5FBA2C4F7D79B98D92.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468
- C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2165e81e47591004b13a82cbbb7cbde0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6189.tmp

Filesize
1KB

MD5
2c539dceee95c2960e91307087137f81

SHA1
7a409473711cabc24ca16b18f407c89fca6d2d6f

SHA256
97da06ce018bf5bbce9fb47beef98b7def81df525f43db077b6661b233c4f0d5

SHA512
9ef30e9231020547f1004ad6960cd352b81cb75653285056ddb180b7011ea2181baf2db8caf8830341716e1023c0e1921595e707b05ebd4f0e6cfc49afb84934

Download Submit
C:\Users\Admin\AppData\Local\Temp\gplvuind.0.vb

Filesize
14KB

MD5
11b4974e72248f8e46335f65bd7f33ec

SHA1
4558c091e38b0064e2b264c941ec56f50ec3c9f1

SHA256
5275267a87c78b60458e33e2bf3a6e3b01c498bec69f0105db8992d5a8b70f79

SHA512
863f780ad89b4292d48ce0c0c2fbc6b97c6e70da92baf542ead2d20b58c25fc959736ac9e6ca739efa0121821bf72c5119a1a3a7e1eaf4836f08b28cb18ed5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gplvuind.cmdline

Filesize
266B

MD5
3f8bb60ab507905391f3e1c6fc9cf979

SHA1
6cf1c422d35d62b20339e4031886977aa8655022

SHA256
cf3009189304f07ffa5ad5d0bde9d7c979147cb8b0ea3ab0dc8b03eeb3352d79

SHA512
5ca712c446fe25f7f0d067215c61cb8da7925203aa6eb507474350d1e4be2d8ce047bc266b64d280d9a7cfcf7aa2b129b927c5eefb200e521bb27530f0bcfabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp.exe

Filesize
78KB

MD5
2189744a195b40f6d1212256f4685d58

SHA1
76e87b6f61c71c6af8027907c77d444d611398fc

SHA256
12611fb2894e0d50d47685179575c92366f8e0548deee3b9f9fb2951aa9bc2d0

SHA512
92330fad4cf2b312b589c4806a42c0b41f048dc3f06bbdac630b3cc401f23d9087735ef88407ac85c27f5fdd03eada07fde4af516275b1b147c26d0024fb87ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC122E9D4713C4F5FBA2C4F7D79B98D92.TMP

Filesize
660B

MD5
8e09d401560b66ac1d14688b88404049

SHA1
fd27b610ae12947ba827a73f35e03d045b61a494

SHA256
53fa0a402a5a08db0d2c5f1abec8b1a4f9a5ef5a05f23895dcfe0d3de9ce4120

SHA512
4ebfeff4817764af9206bc7a3eba11e43a2ce11e7079794c7bc20f0f9716f0152baefc12b8f5d9705b90098067bcd94efd57758a36bc2e615dd63674d11a8ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2020-23-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-24-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-26-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-27-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-28-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/2860-9-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/2860-18-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-2-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-1-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download
memory/5000-0-0x0000000075202000-0x0000000075203000-memory.dmp

Filesize
4KB

Download
memory/5000-22-0x0000000075200000-0x00000000757B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads