metamorpherrat | 187f53ddf8eb0b429b11b86d74dafebba7ca914a0929e8767cd024f970ae5c1a

General

Target

287304edc5b4586b3648f45d49e8f540N.exe
Size

78KB
MD5

287304edc5b4586b3648f45d49e8f540
SHA1

211b8645c723508466644e808e39092ecb1e7dd4
SHA256

187f53ddf8eb0b429b11b86d74dafebba7ca914a0929e8767cd024f970ae5c1a
SHA512

d8bd0de04a34a72ce027606172d31ab29d07197a4b8ecbfa2b9a6ecb83574eb67093a929dc483b8c493c067dafc20679cbe3dd175e1a3fad55ff986a03f28180
SSDEEP

1536:QHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteN9/G61Vd:QHFonhASyRxvhTzXPvCbW2UeN9/GY

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	287304edc5b4586b3648f45d49e8f540N.exe

Executes dropped EXE 1 IoCs

pid	Process
1184	tmp689D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp689D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp689D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	287304edc5b4586b3648f45d49e8f540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	287304edc5b4586b3648f45d49e8f540N.exe
Token: SeDebugPrivilege	1184	tmp689D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1472	4668	287304edc5b4586b3648f45d49e8f540N.exe	83
PID 4668 wrote to memory of 1472	4668	287304edc5b4586b3648f45d49e8f540N.exe	83
PID 4668 wrote to memory of 1472	4668	287304edc5b4586b3648f45d49e8f540N.exe	83
PID 1472 wrote to memory of 4920	1472	vbc.exe	86
PID 1472 wrote to memory of 4920	1472	vbc.exe	86
PID 1472 wrote to memory of 4920	1472	vbc.exe	86
PID 4668 wrote to memory of 1184	4668	287304edc5b4586b3648f45d49e8f540N.exe	89
PID 4668 wrote to memory of 1184	4668	287304edc5b4586b3648f45d49e8f540N.exe	89
PID 4668 wrote to memory of 1184	4668	287304edc5b4586b3648f45d49e8f540N.exe	89

C:\Users\Admin\AppData\Local\Temp\287304edc5b4586b3648f45d49e8f540N.exe
"C:\Users\Admin\AppData\Local\Temp\287304edc5b4586b3648f45d49e8f540N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4_7ek74b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7BD686057E14AFE92E611D13EA2A5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\tmp689D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp689D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\287304edc5b4586b3648f45d49e8f540N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4_7ek74b.0.vb

Filesize
15KB

MD5
be5c1bfe87c63a21f02b4917cf0f3ac5

SHA1
4261debe4b5682b8d09e5820b533a0fed04f2e5c

SHA256
1f418b22a30ca0bc758570e29bbc19a27b2c58e1d24810f53db965b071dba0f2

SHA512
f0ed106ee125b4e2f830e12da44c24534b8862e4cc12b16034214ad665aba21f88bc0070a04431fbb6491485e4e637da392e22dbb70575957a7ee94f6f96e521

Download Submit
C:\Users\Admin\AppData\Local\Temp\4_7ek74b.cmdline

Filesize
266B

MD5
f1df99cfb188aa1a34569dcde5d449a8

SHA1
089e9f0527d553ffe45f5c0941a546aed85fae14

SHA256
2721ae0e0270ec59674022a23686e99d2b10df18a2c6e1c9dc530aed1064f0a2

SHA512
91578b6d8122cee0e86250e0ba516f3d2859b465c59ad3f210abb403a7ea8f36b4024273ae51d7bb093a0558ebfcb72ba712efa8fe533d2d05266e1d740ee6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES69C6.tmp

Filesize
1KB

MD5
492ebfd656cc1609b219f4c64489089c

SHA1
e2c3a4d1311c20c36d0647f298ed8b22104f0707

SHA256
0aa897d66a37cd80a969be9b5d68df04f575e1bfb535f88d42a4a6996a36b492

SHA512
73d5e884a8fc2d9d1a8ca0adf38f70d6d8030d5ddd9ed9562d3a306c3825f24a1c57d949ab46472bf53275de2a091cd4b988e11ae4f52ad77a7c2505e294f933

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp689D.tmp.exe

Filesize
78KB

MD5
430c0a5db240c35a6d61673a06495a69

SHA1
6613da5e10d112d19ec5365d0c98724cb74ba8fe

SHA256
2e75a6188699c6350ef71af9e21d74b53f3a7b5ed40f0b8ca0305766906ac381

SHA512
e99b28def769ea82146f9e7b88139d6bd2c345c535a2dfcdd95abbf7620d3941fefebfb4bdffc8abed52d26d436af2fc19b99edfc3e32655c3141416bc0a25d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA7BD686057E14AFE92E611D13EA2A5.TMP

Filesize
660B

MD5
1ce05a17501f3ff6f155151cd18e29dc

SHA1
6f6c5759af83c825eefd223f465210c88bcbd944

SHA256
102aa49bd7250329e50777c518c51ddb36aabbbcc002c0bee2267ff77728a31b

SHA512
bb2b99d41ade96997d2fe5495437c04ad975f2e4045a2cfc05b02058c59fa695d81efd8fc56e2c067fa8c5991c9a30d5ea68eac5e9f13036bb4b13b7613016ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1184-23-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-24-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-26-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-27-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1184-28-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-9-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-18-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4668-0-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/4668-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4668-22-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4668-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads