metamorpherrat | 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5

General

Target

7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
Size

78KB
MD5

0fb564b3867f161ba694c2681545f6a0
SHA1

3deb46295458313f827742a44836557e337c1188
SHA256

7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5
SHA512

45db670cb03ec50a9207977a89fb8ccb3b9eec3d2d1a99b4811f16d8c7e44f30a0bf213ba98b4615ab3536dadec181e462caf67bf69f04ffdf0063a2b2b036e4
SSDEEP

1536:DV4V58OAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS6B9/y1Zb:x4V58OAtWDDILJLovbicqOq3o+np9/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe

Deletes itself 1 IoCs

pid	Process
2816	tmp7C92.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	tmp7C92.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7C92.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7C92.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
Token: SeDebugPrivilege	2816	tmp7C92.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4804	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe	82
PID 4424 wrote to memory of 4804	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe	82
PID 4424 wrote to memory of 4804	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe	82
PID 4804 wrote to memory of 4716	4804	vbc.exe	84
PID 4804 wrote to memory of 4716	4804	vbc.exe	84
PID 4804 wrote to memory of 4716	4804	vbc.exe	84
PID 4424 wrote to memory of 2816	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe	85
PID 4424 wrote to memory of 2816	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe	85
PID 4424 wrote to memory of 2816	4424	7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe	85

C:\Users\Admin\AppData\Local\Temp\7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
"C:\Users\Admin\AppData\Local\Temp\7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s4ymd5m.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE295DA842BE442FEA0AD25D4EEF2715.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4716
- C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3s4ymd5m.0.vb

Filesize
14KB

MD5
f2d137c41227e6687a785294edc58e09

SHA1
120e6d33fc2823765d394fc5ecee326443fa9e3d

SHA256
28395d08b56e106487199a1cb79823e9566dc3fafd2ad4c4bcb60ad29ab4a861

SHA512
d18c51455b729a609f7ce52a5eb240f3d7535f76ba6153119276f344155a2850658b36ac9c92d79b73f8c97bef854307055e484d5dde246cd170004197fe2224

Download Submit
C:\Users\Admin\AppData\Local\Temp\3s4ymd5m.cmdline

Filesize
266B

MD5
faf245613a0593e51e6a4f66aae4e3d4

SHA1
2d34b8bce4bf21574ade07ef7b9d746e75e44fac

SHA256
0c851a51ff24a4a9a7d4210c25baa71e1ee701e8f0981fd35ddff9bf7ff5eed1

SHA512
f1bf93749479e982aee56147f405c14b034f9a58489f8169445c3c4872cc4d282911f41791d44605f5ada2a3d7f5df59b9abe272b4faa1cc2b758ae6dd0193b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E58.tmp

Filesize
1KB

MD5
da24b87e41a656469b3f57956551212d

SHA1
514de6d330764d4d61cb45ebbbebd8bd4459147c

SHA256
ad471ff35d66337064fcd7d42eed9fb71e293a1f8c3e17eb2499057189506959

SHA512
2737133db048c7b09e47e4a83630ba4919060f00e8ae49d3bf6332dc05d6700eccc5a18d7d6f152a7810d06e671586238df0f2156bf5baf792e663b630314462

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe

Filesize
78KB

MD5
44a3b3f16659b36480051f203dbe3782

SHA1
16d1d881ce52b5046006f5886ff381193a76c75e

SHA256
284fa402e49b155476e1425a0dbe5305b50a37329f0745133ebb20ad776c214d

SHA512
a7b734cbc94db82805106e5f35f9b0e8a9eb4ce8ac2282efbcadc1d2dc9360961dff944895534c928f2cff3c6a6a8a521b696ecc5caca01cb7336499145a3cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE295DA842BE442FEA0AD25D4EEF2715.TMP

Filesize
660B

MD5
8a5816204cbc965ae15f87c4f146fd42

SHA1
7cb1b03fa856c91ef833c92b92ab2a5e30ae256e

SHA256
05cbc60b94253b73e22a29b39af3ff277ffd36d4234c9b9f5c00579b4184b46a

SHA512
0fd72e1b99bc2250c9496ab7693fd80ada0fc498b9417f08a16fb027e313ab772435d4b30fa87c08acba737be2dca2ca696a3fdb9cbc1a5798ced565b89fc603

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2816-23-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/2816-27-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/2816-26-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/2816-25-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/2816-24-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4424-22-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4424-0-0x0000000075352000-0x0000000075353000-memory.dmp

Filesize
4KB

Download
memory/4424-2-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4424-1-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4804-18-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4804-9-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads