metamorpherrat | 6f12e6c42d157af7dd0c97eecea698a1f13318a7cb7b6efdacdaef4796ea79d9

General

Target

4c7da96656ee300ebfaa7a10b04b4840N.exe
Size

78KB
MD5

4c7da96656ee300ebfaa7a10b04b4840
SHA1

91cf092ba72cdea7021116313336465cfc109d88
SHA256

6f12e6c42d157af7dd0c97eecea698a1f13318a7cb7b6efdacdaef4796ea79d9
SHA512

99aa52713cebd5f3158af74dfcce30f22d46672a63a328f3976b15059dc819ccf6c1bb380001ea38b8b5572da3d8b40dddf5eb711cb6404bbc75d80ca230f9e8
SSDEEP

1536:g5jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6a59/Pn1de:g5jS/SyRxvhTzXPvCbW2U49/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2584	tmp1803.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2584	tmp1803.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	4c7da96656ee300ebfaa7a10b04b4840N.exe
2252	4c7da96656ee300ebfaa7a10b04b4840N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp1803.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1803.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c7da96656ee300ebfaa7a10b04b4840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe
Token: SeDebugPrivilege	2584	tmp1803.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2780	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	30
PID 2252 wrote to memory of 2780	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	30
PID 2252 wrote to memory of 2780	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	30
PID 2252 wrote to memory of 2780	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	30
PID 2780 wrote to memory of 2692	2780	vbc.exe	32
PID 2780 wrote to memory of 2692	2780	vbc.exe	32
PID 2780 wrote to memory of 2692	2780	vbc.exe	32
PID 2780 wrote to memory of 2692	2780	vbc.exe	32
PID 2252 wrote to memory of 2584	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	33
PID 2252 wrote to memory of 2584	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	33
PID 2252 wrote to memory of 2584	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	33
PID 2252 wrote to memory of 2584	2252	4c7da96656ee300ebfaa7a10b04b4840N.exe	33

C:\Users\Admin\AppData\Local\Temp\4c7da96656ee300ebfaa7a10b04b4840N.exe
"C:\Users\Admin\AppData\Local\Temp\4c7da96656ee300ebfaa7a10b04b4840N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dwposwm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES192D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Users\Admin\AppData\Local\Temp\tmp1803.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1803.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4c7da96656ee300ebfaa7a10b04b4840N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3dwposwm.0.vb

Filesize
14KB

MD5
436ccff87ed84c869f2839c431e858b3

SHA1
2a39d2b5e1098bf97f0f5fe42f9082746c5bfd7b

SHA256
82d03f08eaf5d1896c8cfbdf7ccb115d424afe0dbc1cd863a6ff42cd34bc9927

SHA512
e31475cb4c1a8532ff451262cf58a6f757cff31c1ff870b4c4cdf312168ed8df258be684ada165ca5ff064ec644323b89c58c9c226a6be8a8c176af2c01dda6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dwposwm.cmdline

Filesize
266B

MD5
b3a487df1a8cd9b7e64de6a2f0215e17

SHA1
7fe764fbd19ca3a5adc7887c269fa14ca8cdf7e2

SHA256
adfd0c956af5123e0309dcd6f4fa1256c7429052148f1b30d13f4c5de4030292

SHA512
c06d7e58c6319304f057e44ce4825532f5c980fbdace5452097a2bd0405c821dcf60f752911d3c7a8ad3100ac101031f67f8ec2ce3965de97d1b8cc251fb9399

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES192D.tmp

Filesize
1KB

MD5
599461fa9b7d38028013117fc9a1f52a

SHA1
351dae71b37cc7a6c72be1ff92eb917999774048

SHA256
989658604e5624cc72e60920a68354ef92cf3d1534338aca75b7cd44c40bf4f6

SHA512
6e6585edacf05e63e4087ada4d1db82459666cb766754f6290447f3aab98b9b34e8000b9e76f3e884164703140bf6c4f513cc3368b215bf6518bfe2f9a4d09d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1803.tmp.exe

Filesize
78KB

MD5
b80e3079709bbdd66f136b056aedb222

SHA1
72530710d444a0356e6f2f1cbbbd65a353af8753

SHA256
5ee6dd8b4ffdf3cf28a252b5877b469db2d6c51f06d44ff44be5a0cb7eaefd6d

SHA512
241b339668c34716f143533a50668af5937782cf994ad2302a377061ec11ca710a23634244c5b08a746c86472863131e9cc49a4fd35502bbf8bf370ab03b7de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp

Filesize
660B

MD5
906425111d1f0042de45fcb54f2e684f

SHA1
7c5ab2023edc3fb9d29a1edd551242926ec14225

SHA256
4f0b736a98fbf4e37c76096027b919c7f7ef7b8fbf20045aa0ff9591f3c0b59d

SHA512
40647aebc71ad38ec8b26f7c7362a33d7991a61253717f70628b7717a714802c95aa6d3b5182bea3146d62fde99534139085d7d0597694691ee9ddb62f8ce174

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2252-0-0x0000000074C11000-0x0000000074C12000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-2-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-24-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-8-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-18-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads