metamorpherrat | 03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88

General

Target

03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Size

78KB
MD5

5eccb60697d60d1fbfd0518f9b7240ee
SHA1

ddc8607b374394894aeff2e282941b400d55ffd3
SHA256

03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88
SHA512

30416f3485e9d7c44eeed735f2a26962f6430cd6a176cf4e04de50d62f9d1c64abe5a4cbb7e618d90d502f45c289f2c754c97beb2673942f03b2635dd48349a5
SSDEEP

1536:PPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtA9/qi17j:PPWtHYnh/l0Y9MDYrm7A9/qM

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe

Deletes itself 1 IoCs

pid	Process
2664	tmp8B38.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	tmp8B38.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8B38.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8B38.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Token: SeDebugPrivilege	2664	tmp8B38.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3748	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	86
PID 1144 wrote to memory of 3748	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	86
PID 1144 wrote to memory of 3748	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	86
PID 3748 wrote to memory of 3200	3748	vbc.exe	89
PID 3748 wrote to memory of 3200	3748	vbc.exe	89
PID 3748 wrote to memory of 3200	3748	vbc.exe	89
PID 1144 wrote to memory of 2664	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	90
PID 1144 wrote to memory of 2664	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	90
PID 1144 wrote to memory of 2664	1144	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	90

C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
"C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvvwbmvw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48222B92F84447348837814AD99E5620.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3200
- C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8C71.tmp

Filesize
1KB

MD5
9160685580ca70142bb1224328a04182

SHA1
ccc1f3c8537f4392f06a16ed442c159744766c48

SHA256
cd69d1227b9c392cc4541b3f9c9605a6ec1589de592984c95a531adbc6c5723b

SHA512
f0b1d86bb7e1c3a282b681dc944b70944952818eea2defa7bfe133a158cf78fb4a92d4af060ee00df3b017bcbb2d8a200ac7375f8a9c7a19edd2c83a2018fd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe

Filesize
78KB

MD5
cc7ead7a50d0d050f74c4fb90c603072

SHA1
71a64dd9cca45388a73bbca235d9c6efefed197f

SHA256
43a79a389fb231385c4db59923a197633984e5768401b874b357039e9d32431a

SHA512
a0702a4ec2dc8effd5d8d1eb2c31c2aab547ea0ae6bc28fda46f7cde021b1d07cf0c3a5366d856cd9e944e448a6c85057cec10f795e363c87326b397078a5299

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc48222B92F84447348837814AD99E5620.TMP

Filesize
660B

MD5
6c12edec29debd4b59e6605230a4b284

SHA1
f3a5bc427349534b4a702e9d8ddd715a8880d503

SHA256
0bb208a2bed30886af6ef7aa16bfb8d4a5c33c4f522869db96ae1b23466707ab

SHA512
0223ba2227def9537fcd25f119ec2087101b94edb317a490f01a2113a19d80c2dfb1e8f524eb4fe44f101efd2a80c0797e534ecd75f1630171ac369ddffb62e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvvwbmvw.0.vb

Filesize
15KB

MD5
301e398ea4c63467e9acad17c08dd09f

SHA1
fcdf4a0e8922ae0414d9a463dd542d58f22d7115

SHA256
9760789b85e24d6baa9da1f42e065bb3621a9640dde29b51a8d04cc535929596

SHA512
5b487b855cfe3169b0e26e4110013e0225cfc0ee8a637e1ded11b851e24b394f123399c5cd16055cb725cf80feab05acab445f6568c0d12aca8e2adedb769bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvvwbmvw.cmdline

Filesize
266B

MD5
91ada655f8596977f4951f1157a27d59

SHA1
081126b418f2aea1996799f8a7f4bfa1b34176b0

SHA256
987a461dec01d4f15a1ac0b006e36507bd2ced2b5edc68d2f59b4c9537303c03

SHA512
7b797686333356f7ba0fc06ccc48e04aba1c3858e4a35ec71ae8953fcab0ae78854351233e33b17dacf882b97564888f8947d9be257791ebe483369d9fa146f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1144-1-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/1144-0-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/1144-20-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/2664-21-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/2664-23-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/3748-7-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads