metamorpherrat | 546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5

General

Target

546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
Size

78KB
MD5

326df025d844f01aa9ba686a47ee3ea0
SHA1

424541dd4ab86075b4a80898eb14f25c099bfe30
SHA256

546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5
SHA512

5f6af293ad57891f8c9573c91d78b435ab6b853ffdb983f049e66aa78e320872df04f5c3d43acf05cdf0df109976e4a39feff7b4ec5b29b13250711629205e5b
SSDEEP

1536:StHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtx9/81vr:StHs3xSyRxvY3md+dWWZyx9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe

Executes dropped EXE 1 IoCs

pid	Process
1772	tmp9078.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9078.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9078.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
Token: SeDebugPrivilege	1772	tmp9078.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 5080	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	85
PID 968 wrote to memory of 5080	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	85
PID 968 wrote to memory of 5080	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	85
PID 5080 wrote to memory of 3452	5080	vbc.exe	87
PID 5080 wrote to memory of 3452	5080	vbc.exe	87
PID 5080 wrote to memory of 3452	5080	vbc.exe	87
PID 968 wrote to memory of 1772	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	90
PID 968 wrote to memory of 1772	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	90
PID 968 wrote to memory of 1772	968	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	90

C:\Users\Admin\AppData\Local\Temp\546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
"C:\Users\Admin\AppData\Local\Temp\546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\syy2wm74.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9163.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc728C0A40CFFF4E21ADC2CDC2A117B952.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3452
- C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe" C:\Users\Admin\AppData\Local\Temp\546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9163.tmp

Filesize
1KB

MD5
cd65375f1f4f76c6728e6e631c3b5526

SHA1
59f79dc50b942e093c4aae2c9b67ac9c0a9b5965

SHA256
ac5013274fc03f6457f940a225cdff94c3f2e9f54e8e2ec6b94af58f41e6dfef

SHA512
c579e7c823b7a667fbacb40f014a8bdd29afcae6b535b4b29b8ba1c3e014cab2529f4f406ba229914b578a3c30b7463f364405e0affc44546f29cb33849d9f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\syy2wm74.0.vb

Filesize
15KB

MD5
a89b04392fdee3c585f5b545e14e6ab5

SHA1
870164321b4914c3d30f6c4206c78acab133fdd8

SHA256
e26a3a51dd60d44045cdee68cac4ea09cfa500180c70c88c2d7e11fbcf390f34

SHA512
dc76ebbf1d03d5227cb6118ad068aef4d8c54fd62cadc3ccd2e3649eb9125a603dac77d639d7139f8bad38d6e21ea6735571d5952dc15d9c7ad26b124d3bff54

Download Submit
C:\Users\Admin\AppData\Local\Temp\syy2wm74.cmdline

Filesize
266B

MD5
c474037f3ad5fc83bcb44b14e6033c26

SHA1
2a735704eefc9ec63a28bd80be3dadce5302c77f

SHA256
a9b78953584386d9f684faf8e51999e5f7aad7ec81c464e91ba49eb3ea9e4e48

SHA512
40973f51aea8045e3c2a6d23714b58cf2930ad904edf1f4510a65e51c192da9e368b82c8b1a2d234a866d06881a4568084abbbe583654f4af9267588da9e3517

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe

Filesize
78KB

MD5
7b79cabb32d9723581758c062f5f0f45

SHA1
206bf4369e0ba6fb8e62104839d254656b10c0e3

SHA256
6fd0874e457f14221bf5fcedb4c8b832fcedf43bd78de87dbde2cfd76b21b94f

SHA512
a819c5972cb7c63c326e93ed6ada14b7d5a0f96ff52a089d0d200d2dc552b193d0e9b32c0cc1e73ef597d282a87296821a7cb662ad8c444fd5303857c8e2941e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc728C0A40CFFF4E21ADC2CDC2A117B952.TMP

Filesize
660B

MD5
32741ea970ff307cb5cfa6b1ba6b031e

SHA1
cd75d1ac56a265e509f28f65398506b922122ee9

SHA256
fbd1341dd8e9c6f33664588b30f831a674345a548124679ead921aab6d4035d8

SHA512
95174c0b88e4b17f767044ec65996576afc4607256ce647b0fb22f508a62b92ca2dcf0b66848d286e30885526694ead9f920ce643363a3214326ecbe1c2e1da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/968-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/968-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/968-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/968-22-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-23-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-24-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-26-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-27-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-28-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-29-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1772-30-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5080-18-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5080-8-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads