metamorpherrat | 03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88

General

Target

03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Size

78KB
MD5

5eccb60697d60d1fbfd0518f9b7240ee
SHA1

ddc8607b374394894aeff2e282941b400d55ffd3
SHA256

03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88
SHA512

30416f3485e9d7c44eeed735f2a26962f6430cd6a176cf4e04de50d62f9d1c64abe5a4cbb7e618d90d502f45c289f2c754c97beb2673942f03b2635dd48349a5
SSDEEP

1536:PPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtA9/qi17j:PPWtHYnh/l0Y9MDYrm7A9/qM

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe

Executes dropped EXE 1 IoCs

pid	Process
3764	tmpCA74.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpCA74.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCA74.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Token: SeDebugPrivilege	3764	tmpCA74.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 804	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	85
PID 2236 wrote to memory of 804	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	85
PID 2236 wrote to memory of 804	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	85
PID 804 wrote to memory of 1880	804	vbc.exe	89
PID 804 wrote to memory of 1880	804	vbc.exe	89
PID 804 wrote to memory of 1880	804	vbc.exe	89
PID 2236 wrote to memory of 3764	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	90
PID 2236 wrote to memory of 3764	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	90
PID 2236 wrote to memory of 3764	2236	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	90

C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
"C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v8ngvvzx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E1844C2E0F64491855ADD1E0C96B1F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- C:\Users\Admin\AppData\Local\Temp\tmpCA74.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCA74.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCB6E.tmp

Filesize
1KB

MD5
e9c04de60a5cdff293794795611d59d4

SHA1
6b0646e249cf173887ae4e40f48b1275facf0a48

SHA256
22bb897846f1830d09d73cb6473aae3fc2ed9253202490d6ae4f3c50eb8865cf

SHA512
3bd9bb9882c18d9a468b4d8cd627b00197b3c5e1d058fd89e9be93a7b35c0de232802dd2b666b3bb1ab92bf449904ff964c4039e86704c1affb3a5c18cd6adf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA74.tmp.exe

Filesize
78KB

MD5
bee63af3286740b1c0df59d2e416f2fc

SHA1
0a85fb377e17e9dfec8567a00bb3e73b5bdb210a

SHA256
e518a71f2129f9bb95b5bd94faf34f3a88ca17c1313fa7156811be9c44e0a4ed

SHA512
87addff36877cd7da336fc79519eb95ea896a53b850c975f82763339164ca8d2be82122da1e1271af384a0ec75d56d1327199df2daf841c432e424165e7821ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8ngvvzx.0.vb

Filesize
15KB

MD5
40bdfcb8da89b19fc73cffae6e4bbf43

SHA1
924d019f8e4b94da62191574b40acc993e4d894a

SHA256
c496d75b3c18f2748bcaf35fe19714da1a3def85017b000b0f660a1335d0eb4c

SHA512
cde8a9a119e27bfba1f83da689c3d3619b0c4d6a86a90117720b00986721c3f51ca49a0386648b5f2dfad2d94b06e26a479c35f60715865a079cc1d88d40f6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8ngvvzx.cmdline

Filesize
266B

MD5
1e95791daa50a07fdc731dcaaa69032e

SHA1
f39f2a2c154a82d65e2b12a3e51335215d68d372

SHA256
ca746d8e617d1cc047ad2675a63aebdd537fdd27b72534f23d390ac61650ba2c

SHA512
2cb01025fb3e655d1ed3838c2d9dce6e9e8ecc47e7f0574e04cbc639b2657ea12e012b1a188667f02cb8fe967fabed05645c3999ae315ce358bc3ef3f33dd5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E1844C2E0F64491855ADD1E0C96B1F.TMP

Filesize
660B

MD5
8a0b8b7b1db35f243f1f91f1d7b1794b

SHA1
49ec676317f9decb689601dc337672e093ca0c5f

SHA256
69cd35e7644764628b376f2bbc2b3740a59f52630495db0a6630f43cd9b4c41a

SHA512
7278ef6750a51911bd3c5fadc88d0e53c7b2728f1542e66a38c22287458dc952c6dc04e4106c559407364c49367096ad4c080394e40df526c2ee5f376c46853d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/804-9-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/804-18-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2236-22-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2236-0-0x0000000075582000-0x0000000075583000-memory.dmp

Filesize
4KB

Download
memory/2236-2-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2236-1-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-23-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-24-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-26-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-27-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-28-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-29-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3764-30-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads