metamorpherrat | c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75

General

Target

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Size

78KB
MD5

92b56149bcaa610de8cee54fac72d887
SHA1

c30d7b6bf60600a5fc775c81b735e581b9c42b1d
SHA256

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75
SHA512

3ea9310e06749d2644518e3ea2d1795aa04a29943a00e4afb4a17adbc4b31a558060859322afd51cc85ce0d82e2453ab9567954a4a4c9d20504f7030b0be3a46
SSDEEP

1536:JRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6f9/gu1aaa:JRWV5jOSyRxvhTzXPvCbW2Un9/Ta

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	tmp6A62.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp6A62.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6A62.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Token: SeDebugPrivilege	3216	tmp6A62.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2932	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	82
PID 1080 wrote to memory of 2932	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	82
PID 1080 wrote to memory of 2932	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	82
PID 2932 wrote to memory of 320	2932	vbc.exe	84
PID 2932 wrote to memory of 320	2932	vbc.exe	84
PID 2932 wrote to memory of 320	2932	vbc.exe	84
PID 1080 wrote to memory of 3216	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	85
PID 1080 wrote to memory of 3216	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	85
PID 1080 wrote to memory of 3216	1080	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	85

C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
"C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kozfwzsm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88D501532C341B28895F19126795616.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320
- C:\Users\Admin\AppData\Local\Temp\tmp6A62.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6A62.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp

Filesize
1KB

MD5
cae8e15f3d685f7a68255927b49b53ac

SHA1
aa2c6a741ba86c4f25e0b778ea210e25f92ebbfe

SHA256
8b9fcd26a1e9f573703371c339be72efa2bb4f973b1661ba6dd7d2df7b9737cb

SHA512
d7d8e1e4d490eeebb36feafc773c952c15655e81202f22a0bf9bad7ce67a5eefe10ee0e202f00a1826f5a42c2f845a8070c6c77993dcf5e9b9453370b33d07a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kozfwzsm.0.vb

Filesize
14KB

MD5
807cc491be889f9da458e50ab2da326c

SHA1
cab380906cf2a5006dfb68ddb3eadf80910fa321

SHA256
94f3c3b97a7fe00fecc2563642b092a4beb89c21ec0a136615f869832573b1c9

SHA512
103d11de2ef4cfdeb64bb601eaf0adf6fcee7de4ec4f2d304818dbcb1cd786df9171c59a76674724af181ce5333b2e8aff22a274c8a7e27511ba77b601da109c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kozfwzsm.cmdline

Filesize
266B

MD5
f4d6284ffd68ef1d78ffe5eda71d6049

SHA1
2fd53b24a7327adf90496e97f3245fb6de7f4680

SHA256
8e7939f2ff83bf20e4d7fc3468671cd9a4d6cdded53928e71aac1b7826946ed1

SHA512
b11b981fefad56fcc9bd44eba2ac9074c425a44fc67d37800e091b343bfcebafc358068fc35159efe978ae5ce56bbb44b84d13dc17bbf5a382c1919c4fd25f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A62.tmp.exe

Filesize
78KB

MD5
d503bb3457c1efac95246381b642681d

SHA1
0c0bd4c8ba49e7bb73d9e3995bded982fa66e4a5

SHA256
9533d0c629ff7e3393a15b1221e8f5eeb198e1db2fd446ac0fe85859a3532e15

SHA512
6fe50ed65b63a553d259a0c54fe1d869f179d48abacd1b4c2b619a767722ed9be2fc69e3f96523fc20a14265783b270b2ed35dcc172ba4dca666a6e7703be97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc88D501532C341B28895F19126795616.TMP

Filesize
660B

MD5
f790ee46d3607a85deb0db7c9036de56

SHA1
dda60d641c8b071f9e97331d78254c05bca51a8d

SHA256
e52aebdec77bd7aa15cdebc6eef5f5b2d65e20943eec459a9eed4d79533e3eea

SHA512
80c8eb14f54dfd4882fc7dc60a7e458c6a95cc3b90f001e93a55e57771078bdb387b3adb56d79b2e1501c08deb337ec15a98f6c23d4e62f6299384b85952f5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1080-1-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-2-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/1080-22-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2932-8-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2932-18-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3216-24-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3216-23-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3216-26-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3216-27-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3216-28-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads