metamorpherrat | b77095967a2e2c297e04c2033cd640100bf6786168ad9cb4a8ed9b33fd7c990c

General

Target

97273c8d10b83e664994b8530a3b70b0N.exe
Size

78KB
MD5

97273c8d10b83e664994b8530a3b70b0
SHA1

300f94cc019a11c0bbb38229493d0f06a60780c6
SHA256

b77095967a2e2c297e04c2033cd640100bf6786168ad9cb4a8ed9b33fd7c990c
SHA512

f98d1578af7588665b8dfcd2654df73f8644dbdea696aaaa2978f09c5ae58ad06b844a85ebcf08045896274b5bbc10a290fb2f2054fb3c33558ab4b96005428e
SSDEEP

1536:FPWV5jIXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC67W9/I1DP:FPWV5jQSyRxvhTzXPvCbW2UjW9/i

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	97273c8d10b83e664994b8530a3b70b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3344	tmpF0E2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpF0E2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF0E2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97273c8d10b83e664994b8530a3b70b0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	97273c8d10b83e664994b8530a3b70b0N.exe
Token: SeDebugPrivilege	3344	tmpF0E2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1116	2356	97273c8d10b83e664994b8530a3b70b0N.exe	92
PID 2356 wrote to memory of 1116	2356	97273c8d10b83e664994b8530a3b70b0N.exe	92
PID 2356 wrote to memory of 1116	2356	97273c8d10b83e664994b8530a3b70b0N.exe	92
PID 1116 wrote to memory of 2024	1116	vbc.exe	95
PID 1116 wrote to memory of 2024	1116	vbc.exe	95
PID 1116 wrote to memory of 2024	1116	vbc.exe	95
PID 2356 wrote to memory of 3344	2356	97273c8d10b83e664994b8530a3b70b0N.exe	96
PID 2356 wrote to memory of 3344	2356	97273c8d10b83e664994b8530a3b70b0N.exe	96
PID 2356 wrote to memory of 3344	2356	97273c8d10b83e664994b8530a3b70b0N.exe	96

C:\Users\Admin\AppData\Local\Temp\97273c8d10b83e664994b8530a3b70b0N.exe
"C:\Users\Admin\AppData\Local\Temp\97273c8d10b83e664994b8530a3b70b0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\en3htc3s.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF22A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB577466512C64E1089C15138C4836380.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Users\Admin\AppData\Local\Temp\tmpF0E2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF0E2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\97273c8d10b83e664994b8530a3b70b0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF22A.tmp

Filesize
1KB

MD5
e789d1104a53c7db75b04147974bed5d

SHA1
7396481d99d6f8c3ca1e2b68688c8cb0c4eba9f4

SHA256
10228d26105a8276a66c7047d11ab19df98f2938fb8455a40354766e62b53f13

SHA512
c5db92d40b9441ffd19aadffbeb03758d7743e539dd8d65202cd4dcf81c3f44ced1a9d53ff6daaf5ca062cf032ecb2532e2c18df0f59226c220b82d5618fd732

Download Submit
C:\Users\Admin\AppData\Local\Temp\en3htc3s.0.vb

Filesize
14KB

MD5
50e8704f829972c765642e0f3938db5f

SHA1
86d40b8b456697425a6dfa9ba99bd54eb05e8686

SHA256
8972689e5aa07bba38dde8fbc459549986f0b0a10ba3b8953c45804aacc78fc7

SHA512
e556358539220d2f9c29e8dce9a12338e7f10c14a1018c3632e6e7318d30d9f54f70209b4e27ad0f9d46e32e4b96794117bc42e525a392b47e75eae471c70974

Download Submit
C:\Users\Admin\AppData\Local\Temp\en3htc3s.cmdline

Filesize
266B

MD5
cfa087b465c9748da8df0c56d3c604ba

SHA1
e9d3aa4290ada7ba8f275ad4b89b13a2b2381891

SHA256
df51ebe084be6f30dffcf42b10717ad117a08e7e872b5e1d6ae2ec0a0d8d2d2c

SHA512
9f4c30bf2dc641858ee4121eba64e403b53f880cb169b2e7d45d1ef39c39f49daafd531d5d4aa41aafb63c97a0c99f3526c7c164fd945d8a28d5db250f789d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0E2.tmp.exe

Filesize
78KB

MD5
f30058d1b8d8016e7fe25b4f7adf6a1d

SHA1
75ac988548a71b90e5d1439369765b56a048ed51

SHA256
fa1b776a6f0af4e23b14d968a2821743c9978b4e48eb9c8786ede1cd628b95b5

SHA512
09b74b106660aed0914c56c42aca0ebc0dce621f9bc705ded170c820e6e93f0a3a5f4e18234e7867c01a4703309fa2880f73029e7a0ac4ec88fc4a540cd78edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB577466512C64E1089C15138C4836380.TMP

Filesize
660B

MD5
60d984686f9c35c9ec16bbd7e486cb4b

SHA1
f0670fb5152f7caed5443fc88bdb3d08e57a49ae

SHA256
d909e635a92e9ad553ff93086e09a01c19945c8adc5bbccb983576517320ea76

SHA512
3e668ff0ba9c157d48d2157360e15bfb4716edcfc047264613ad3647d123f820a5a3c664dd85d6709c0a5c108d85b0b4df0ae8a818ed84079df107b22237a5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1116-18-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1116-9-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2356-2-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2356-1-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2356-0-0x0000000074952000-0x0000000074953000-memory.dmp

Filesize
4KB

Download
memory/2356-23-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-22-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-24-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-26-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-27-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-28-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads