metamorpherrat | f6c296666e91c94a4b6a6182e46faf8a3d5cb987dfbd9f0fad279598555e7926

General

Target

PWS.MSIL.Mintluks.exe
Size

78KB
MD5

d24ac1b54324a1045b2c41aa72696b50
SHA1

11d3ba15cf6467b65859c2fc781aae8b01b0678d
SHA256

f6c296666e91c94a4b6a6182e46faf8a3d5cb987dfbd9f0fad279598555e7926
SHA512

52b4aa63a1d9f60c8f8e80a8bc1a60481bb42fdd4ab81800e8b5df8a7bb2d511ca9b1bdce5aa7b562728f9267cfc4c74ec1a80971ef2e02542f1b05d05d9004b
SSDEEP

1536:B5jSZLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6qA9/51Aa:B5jSxE2EwR4uY41HyvYZA9/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2760	tmpEDC8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	tmpEDC8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	PWS.MSIL.Mintluks.exe
2828	PWS.MSIL.Mintluks.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpEDC8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWS.MSIL.Mintluks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEDC8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	PWS.MSIL.Mintluks.exe
Token: SeDebugPrivilege	2760	tmpEDC8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2732	2828	PWS.MSIL.Mintluks.exe	30
PID 2828 wrote to memory of 2732	2828	PWS.MSIL.Mintluks.exe	30
PID 2828 wrote to memory of 2732	2828	PWS.MSIL.Mintluks.exe	30
PID 2828 wrote to memory of 2732	2828	PWS.MSIL.Mintluks.exe	30
PID 2732 wrote to memory of 2392	2732	vbc.exe	32
PID 2732 wrote to memory of 2392	2732	vbc.exe	32
PID 2732 wrote to memory of 2392	2732	vbc.exe	32
PID 2732 wrote to memory of 2392	2732	vbc.exe	32
PID 2828 wrote to memory of 2760	2828	PWS.MSIL.Mintluks.exe	33
PID 2828 wrote to memory of 2760	2828	PWS.MSIL.Mintluks.exe	33
PID 2828 wrote to memory of 2760	2828	PWS.MSIL.Mintluks.exe	33
PID 2828 wrote to memory of 2760	2828	PWS.MSIL.Mintluks.exe	33

C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe
"C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvoa3csq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF7D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\tmpEDC8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEDC8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEF7E.tmp

Filesize
1KB

MD5
1ca5746c979be0e3d30ed0bd9eacee61

SHA1
f0665ec32da82c75a406e40218eb24e7906b8e81

SHA256
8d1e6cb6b0589790c0f1754b738da014b402af07d2857280c1c20955e74b701f

SHA512
f8fef0826e88f4ae634e956deb28ac6de3bd58b2a314c19d50470f665bacb5e9b9eed9efcd78f59b7d363b3c4678c64d46d54302059e3970fdcf4dec01ebfd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDC8.tmp.exe

Filesize
78KB

MD5
b521f81e90384d40ba476a99e0d06bd2

SHA1
74c53440c09447d49c47a07c2dd58146923542ab

SHA256
991cdf7d18324653ac9543d478a6fed5898be13c9c424b7937cb64a633e19c01

SHA512
5446d5c68e105d21443130e1b2fa7c7b424b47cb0d6a1dd9a7940725ebc97e2eaa98cc3f01678a2838b961f3a9b58944e08512ddebf0273035b05eda6e309e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEF7D.tmp

Filesize
660B

MD5
ffdffdf9a2ec52e0bcdf2c89d88f563a

SHA1
10baf8207b4e2af55d1890076bf774da2302a1f3

SHA256
13119391dd0878ea37c79d7d84fd3d22fa3ec88e386f8dfc6499f502185e5179

SHA512
8c43de890bf96ccbe6b0d39f4327107c7abaf856dc53b56ece9f39909cf842c2735dca89bb1758f970a8e58bc98cb0c1c13c7749ac30a3db3d5adb3d6470a62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvoa3csq.0.vb

Filesize
14KB

MD5
a0adf6b1fdd098dd92011aca5e253471

SHA1
70591d4f98a83caf4bda8c40a9c01be281a6e4b4

SHA256
2ccc9d0f6b8496cf5fc11d03ac3ff914b89b6eefc75e0521d023152407e5a6e3

SHA512
76ea12bbfe3d8647b041e134fef364bf1e13025586a9c0a3e8d42f0b0773b8cae0b04298ee2bd8a9be1c973662f28d26f5f4a5c6ecd8c6212c7fdad8df3e4d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvoa3csq.cmdline

Filesize
266B

MD5
13b3fee7af4c51a3bcafd92b8f1808e0

SHA1
256e8df5ab77ea773944d9ec75e4bae321dfadbf

SHA256
b34edf84c87c0b5c1c0f4136af3acdb4e16ae1a93df00882cd321560979874c9

SHA512
527efb3ef93b1aa301017bb46e0ec0b4d51c35afb33df41e1d84ac92f4ef6186e57ea659d323b9a183decdd8f26bc582e0188c809449e7c4930956be8cc0072b

Download Submit
memory/2732-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2732-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2828-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads