metamorpherrat | 93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026

General

Target

93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe
Size

78KB
MD5

f9cac15dca2ee21a0314716f9d7f9920
SHA1

9ea7454963d61d4b5f92477980c13a30e6026caa
SHA256

93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026
SHA512

a7bdb423ade37b07b5bfc8ce4ca27c8add4fc7a473e991881d1df897fa5a64e54f4ad077b29d68e20781b51ed41a723b6cfe805430f5bfc64510ee20d38e70dd
SSDEEP

1536:NuHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte6r9/GY1mC:NuHFo53Ln7N041Qqhge6r9/Gw

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe

Executes dropped EXE 1 IoCs

pid	Process
1028	tmp9933.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9933.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9933.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe
Token: SeDebugPrivilege	1028	tmp9933.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1044	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe	82
PID 3576 wrote to memory of 1044	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe	82
PID 3576 wrote to memory of 1044	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe	82
PID 1044 wrote to memory of 2240	1044	vbc.exe	84
PID 1044 wrote to memory of 2240	1044	vbc.exe	84
PID 1044 wrote to memory of 2240	1044	vbc.exe	84
PID 3576 wrote to memory of 1028	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe	85
PID 3576 wrote to memory of 1028	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe	85
PID 3576 wrote to memory of 1028	3576	93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe	85

C:\Users\Admin\AppData\Local\Temp\93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe
"C:\Users\Admin\AppData\Local\Temp\93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1yzzpv7w.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EDE41B182304E73943367CE3BC9F97.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe" C:\Users\Admin\AppData\Local\Temp\93e9fad7246e4cf1f54e22a133feaee4796e082e380d4969944d5ec39c604026N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1yzzpv7w.0.vb

Filesize
15KB

MD5
cff38a8c1d2cdbe59270089ced7dd459

SHA1
db52025c64364479fd1c68dec670492216cfe08a

SHA256
63aa56cc7ae870e2465c4cccc8f14da75996d838ac67983a97b3bc578900018b

SHA512
449c8feeb24b7421452f3667986ee336d598e7e5d9268184b6f3c9415ab3efc8d6f34bfb04f2cd7db25c8a9fabbc323bab94de75d420e3a4aad42c830b67d2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1yzzpv7w.cmdline

Filesize
266B

MD5
895bd931fea4aeb91b54bd24172e789f

SHA1
ed08159f95df9ef20fe35eaaf6e023a18bfd534f

SHA256
46ad6ffb84d474fcc2f250c2eeb756dc8483c5080d3bf10842728db4dd3c88ca

SHA512
f822ac59d03a4c4121decda14a0bdb1e16d354d29e141606baf193fa9fda214d5ebbdaf748f226385453998fd6e60d380819f7ac497d2d9001d744e612afac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A1D.tmp

Filesize
1KB

MD5
ab50c1e75b69a043fa52b86d8f9fdef9

SHA1
9b97c862eb4bed5cff2cc832ec63688a45b782a0

SHA256
20baca4366d88c26d80785c13125f875527461e6e4e3bb7c36373ceb7c4bba92

SHA512
89d0b25b276f102855e236b230c2222095feee2a3bf252526af8cb35402252185b52d141c3518acbce4e378ac192865d7efb7027436f6465a02b94757d038763

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe

Filesize
78KB

MD5
fd573b0e51b77895a2cb1d9bf019078e

SHA1
ceb37a60a5d825f481ba4f6a2a68e446c45bb64a

SHA256
00570e2337e68a3a18fb9833410a1f522204c9aa311c745aedacabfc2cc46909

SHA512
4ae8f54ee239b478c5e9436cca7bdfc3a108a905862d26a93f15e60e4a302922eec6441065adf2443bb1cc354f26a508589b5cc9c1b933f9e2bac0b4e8bb1c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8EDE41B182304E73943367CE3BC9F97.TMP

Filesize
660B

MD5
3421fa6b4239de530eeb762dea535b6f

SHA1
8a99eb144657440ddf300203563b8f8191b52afa

SHA256
0a57e75cb883d5c26e04e7dd6b863ff424a62078b100cf386bf0d464907a4bba

SHA512
cbcc0d8b9f8b2cf18c2ece7510b45f371e2d361f86b3289d907bccfc4bfbe6ccb4ac90833a1823d407a8cfb1eca816a35bb26e7789970878c5f2cb1ab6f2ef94

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1028-23-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1028-24-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1028-25-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1028-27-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1028-28-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1028-29-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1044-8-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1044-18-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/3576-2-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/3576-1-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/3576-22-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/3576-0-0x00000000748A2000-0x00000000748A3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads