metamorpherrat | 7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74

General

Target

7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe
Size

78KB
MD5

cf82230381774993d0cd616c44bb5220
SHA1

9c7b188af83e08bd976346a2e6055c99a7fdbae3
SHA256

7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74
SHA512

eb641f5c2fa5984904f0b5c87986417483122c04ecbeea46beb3a945200bc1b5252384a6c68bfc27da6cd5203b76034f8d3c2c36f12ba8ab976bf3c48448e5ed
SSDEEP

1536:QRWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte6P9/p1P1:QRWtHshASyRxvhTzXPvCbW2Ue6P9/R

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	tmp81F1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp81F1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81F1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe
Token: SeDebugPrivilege	3588	tmp81F1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3056	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe	79
PID 4076 wrote to memory of 3056	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe	79
PID 4076 wrote to memory of 3056	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe	79
PID 3056 wrote to memory of 3780	3056	vbc.exe	81
PID 3056 wrote to memory of 3780	3056	vbc.exe	81
PID 3056 wrote to memory of 3780	3056	vbc.exe	81
PID 4076 wrote to memory of 3588	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe	82
PID 4076 wrote to memory of 3588	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe	82
PID 4076 wrote to memory of 3588	4076	7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe	82

C:\Users\Admin\AppData\Local\Temp\7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe
"C:\Users\Admin\AppData\Local\Temp\7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjgqo5ao.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49D9F6C0655C46F8AED4A7AB2DA7636.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3780
- C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7b93efdc1a07b8bcbc298b0b8d474e5a2d350f980199a744f74427c3e02f9e74N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82DC.tmp

Filesize
1KB

MD5
d9bb84e5cfb34d31ac77003cd8b2b8c7

SHA1
9beae89aa9d1eecd7fe017afce6dce6c12c28b09

SHA256
5698aad52de352f975bcdbf639f42e1974e3ce7a089b5e7879b7aec00ae19373

SHA512
a0926a6eb27d6dc08a58e810538e693dcc2cb3b69bc6acc805a492bb04d70996fda56b5f2bf343c5fbcf110dce8cb254d33e6ac310acc2b1111f6d5ada7218b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.exe

Filesize
78KB

MD5
f86aa8c191dcbe0b09ae88741630d77b

SHA1
0ce73afa07123c1398eae8add3dfe218c68969f5

SHA256
c7e576232906644ff77eeaac1328b84af4f29e15b571a9ad088625b2d54e5620

SHA512
8c7d959cafa5d8dd60264d5ada5fd4d6ea88590a0e27a476ac4b07a965b62daaa693f3a0536360082df7d1d659c2ed6cd17c6ec6b2e89f94f0c69e8c10acc303

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc49D9F6C0655C46F8AED4A7AB2DA7636.TMP

Filesize
660B

MD5
3de371690964e93f33818bb2481e7cd7

SHA1
95675556dfe45715cd85fc38038a8889f9986b4f

SHA256
98afb7c7f9605c5eb2d166957eeba838913ca99ade379149b5b3e67607e59563

SHA512
9ce518b83b41bacf8de50b60540403078040873ec8efa61dc13e9369183e6c5364cf8b5b969168436a8af6a0e21deefbd29ad12c94da70089961c6e91182799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjgqo5ao.0.vb

Filesize
15KB

MD5
f7b5782fe3b54328c895f23c82a70503

SHA1
d170df8670b4af9271f4548ef020b224fe85a59c

SHA256
ef9d1c8dae38d7fe1ad5553bd04ece0d05d930157a7c56d677f1720fdac40580

SHA512
cb84aa44cedf9c041e36e009e33dcd1a7adff4d6518a961f8a64c124f32df45a5ad2b5a8c5bf21b54860d68827cf56ce8a400ef02f3ebbacd10851aba8c209a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjgqo5ao.cmdline

Filesize
266B

MD5
ae7b2139d6ed5b2cecbf246bda911ddc

SHA1
19f429f025852fea1292a3d9531962124be0ce19

SHA256
a81d5f2f60017218815823107108a68bc4e4990d7d5974bac1523c25d4d8043f

SHA512
acbab09213a76daa6aba69a484712ee8ec4d1355448ba2135baec8d52f1897fb50fe705cc250976022b5c82d759b13661587dbf918cf56a331423b1d39928ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3056-8-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3056-18-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3588-23-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3588-24-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3588-26-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3588-27-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3588-28-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4076-0-0x0000000075162000-0x0000000075163000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4076-1-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4076-22-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads