metamorpherrat | 9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3

General

Target

9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
Size

78KB
MD5

6791cf354d7374245788d7279ab016c0
SHA1

363727c303a29bd921933127da58d95f529ef2d3
SHA256

9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3
SHA512

0df98fbf11fb42f3e03ad5f738765ad4bb606980ddf9cd0d558b9fd3a732b996e33a90a872bfd0d506a7d28589fe13ab9ca6909b6fbe5661c9f4acd99d281b3e
SSDEEP

1536:GStHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtMd9/z1RM:GStHLdSE2EwR4uY41HyvYMd9/g

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2944	tmp89E8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp89E8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp89E8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
Token: SeDebugPrivilege	2944	tmp89E8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1328	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	28
PID 2868 wrote to memory of 1328	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	28
PID 2868 wrote to memory of 1328	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	28
PID 2868 wrote to memory of 1328	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	28
PID 1328 wrote to memory of 2888	1328	vbc.exe	30
PID 1328 wrote to memory of 2888	1328	vbc.exe	30
PID 1328 wrote to memory of 2888	1328	vbc.exe	30
PID 1328 wrote to memory of 2888	1328	vbc.exe	30
PID 2868 wrote to memory of 2944	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	31
PID 2868 wrote to memory of 2944	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	31
PID 2868 wrote to memory of 2944	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	31
PID 2868 wrote to memory of 2944	2868	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	31

C:\Users\Admin\AppData\Local\Temp\9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
"C:\Users\Admin\AppData\Local\Temp\9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dkxjoos.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AB3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\tmp89E8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp89E8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3dkxjoos.0.vb

Filesize
15KB

MD5
481bb4ef8a906bbe85a3f552d34c6d33

SHA1
b7070a8158c3eb739f6fcb7220020768051d9761

SHA256
5e87b2af6744444b0e958defc4a7c2f26e3db52566551566da216b5f315c5ac6

SHA512
eea73c9b761cb76bce5b2aec37e97505fe14a6238324ed9535576eee481f5da46155ff83faed076940b86a2caaa0d2f5b5ccee768920da327a25582887fd72e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dkxjoos.cmdline

Filesize
266B

MD5
05c75532994025c6b6a920792d357cde

SHA1
aff35a277cb925f6c9a94aa6bd650160c5506c82

SHA256
f1a0c5b06c35f3e43276fd7823706b732337e4c9d085bf5c1c402f116f30c8f2

SHA512
4fa51af4ebb86a495c0693d7ef81fe7d020c7ec684309b7f5340f820b0aafc3e13c79c859c46dc78026f6d6e75e67a04c3880f0b290abc3ac1305ede01a6cd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp

Filesize
1KB

MD5
f4ea54814cf284c2564bb47035528706

SHA1
e2ed63d4d92183facdd19364c0daa21d753e3e56

SHA256
08483d46cc9c7a5ee73749dd70fe54250fba4eabef5c7ebf74e45529f8f7d271

SHA512
b2d99b89adeedb7bffcdf81516491cba335b5331910dd5857b7c8ee8a6b40e2b096152c4fdfa8a7998650138c89a10632da2a6cead2cb0b0c185ef09569af2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89E8.tmp.exe

Filesize
78KB

MD5
8b8444b9472d681a04356c5b66c23296

SHA1
09ffd3c5cd6c1dbe22d6a2853a27768c11fcf45d

SHA256
7805c1c94317d1e06d41f5523efbbf46e3420c0cc10a1f92c8ab2ca5f8a0d27d

SHA512
636bfac9a88b411e7531f4f22fcd51e0c48f6fe51ae5ff0d63eda0f654f1760ce4002e89f00115fe1b79b0cb0fc00bd8eee2f32fd6cc83ed6359966a2833466f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8AB3.tmp

Filesize
660B

MD5
a9efec4000a954b8c0fedf88ad07bab5

SHA1
ff216a8f489b3a20268bc46d6845da8470307870

SHA256
fb782345d3904e282125bde7c9c64f5f434c2a2910b5ca8eaa69af5c5e968737

SHA512
234102648d9f52634ce1edbb09e77b8416b7f1ba4dc75690513854faeb9534a88bec42a0eee660a3405dbaf8e095d5446e2ea24d966fd9819676c79fa89cb762

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1328-8-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/1328-18-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-0-0x0000000074211000-0x0000000074212000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-2-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-24-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads