metamorpherrat | 031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75

General

Target

031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe
Size

78KB
MD5

4850b7b771b511ac48766c309e4f3a61
SHA1

5529f883704d716e2f31cb3fbc83a66dc8a85bb7
SHA256

031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75
SHA512

d51d952895db315acd5901febc740a54be5075108b2348f20a16dce532803812819fb9d33d8622bd7eb74a5418de0e337b83c73fe51e6823a4d18e4d33d68ef3
SSDEEP

1536:XsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtg9/q1ziO:XsHY53Ln7N041Qqhgg9/tO

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
46	2472	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe

Executes dropped EXE 1 IoCs

pid	Process
4396	tmpEED4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpEED4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEED4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe
Token: SeDebugPrivilege	4396	tmpEED4.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4752	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe	90
PID 1300 wrote to memory of 4752	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe	90
PID 1300 wrote to memory of 4752	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe	90
PID 4752 wrote to memory of 6084	4752	vbc.exe	92
PID 4752 wrote to memory of 6084	4752	vbc.exe	92
PID 4752 wrote to memory of 6084	4752	vbc.exe	92
PID 1300 wrote to memory of 4396	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe	93
PID 1300 wrote to memory of 4396	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe	93
PID 1300 wrote to memory of 4396	1300	031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe	93

C:\Users\Admin\AppData\Local\Temp\031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe
"C:\Users\Admin\AppData\Local\Temp\031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5i7guvnz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBEECA20735B48B4BBFBC199A550AE3C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6084
- C:\Users\Admin\AppData\Local\Temp\tmpEED4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEED4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\031e56774f5e69559e50dc635824c3093161190246314606c9b6682b502f4a75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4396

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkNFNTVFNzAtRDI3Ri00RTAwLUJDN0QtRDVBQTIyQkNBOUIxfSIgdXNlcmlkPSJ7MkRDQkREQTUtNUJGMy00QjhCLUI0OEEtOEYyMjkyRkQ5RDMxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjI0Rjc1QTctMjA1My00MkJCLTk4MzEtNzIwRTUxQjc2RjdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDk2MDYxODc2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5i7guvnz.0.vb

Filesize
15KB

MD5
d4774e5913216422f9f673bf9771186c

SHA1
1bb4416681ea2e5905b856185b6a343bcfc3766b

SHA256
57aeccecda0f8c124c47222402119ab3694db162ca2994319d57645a821aecb9

SHA512
4ebf8e0fcbecac9866e3af138737f2da84894f082799c21babb5c158d5c70af2153c588741dabf569fb331a1ae468b5e7e5dedf9a91634a3a1e3bea316142f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\5i7guvnz.cmdline

Filesize
266B

MD5
051af69bd46ecb8e0941151f31c5a99d

SHA1
8ac19204591d85789c066a1ecda56f6e65786482

SHA256
42a02343868634b5412fe1c53eae98962d3a988a61eefc39bca2a1259f4a88e8

SHA512
db804eae95739bb54e0b2d64efb534b3519f9d4098f750207c0f6f839fcdd45557e1aafe04031a45b30655843dded6b12af79a4a0666dd4e8cb6d4ab20a1b3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF80.tmp

Filesize
1KB

MD5
f94e10915bff3b027c320e319c3a5dd9

SHA1
12f84f14ae511ac5c83cc6167ee1c9931a590b89

SHA256
0d07f2be1bc61abdc3f1649799862b19ea95aa9bd05103a168eb07ae9e60d149

SHA512
6cdc80e00ff8ce89f18bcd345ecb00f70f2fddcbb1da0db0df6928e02708b3758695e68acb6fa12f65c6ccd7af68671c4a62aacabed11456548aa4bde4b7aa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED4.tmp.exe

Filesize
78KB

MD5
a170d305e377ce3430eb0f765bfaf87d

SHA1
110d4509a4abaaaf92bbae617127dc52b8194029

SHA256
9d1d91009f6dbe8e9478d5e1988bc13d09081da98e6217a1dde59181d19235ac

SHA512
2bb18458082575f88ed868ff7649ceeab7854acd9a4252e7ec4e8334e21eb338ee10e87743594685c08685db9f43a6554800d71790fa6bbbeab112f92708d3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEBEECA20735B48B4BBFBC199A550AE3C.TMP

Filesize
660B

MD5
73f9b3b8a44f510e9c6e00403b51ae54

SHA1
20694eca7c3289a4276973d11e27d9cedb21265c

SHA256
ec4a0a2a8669c66f19058c4289b679daacfd690a132e7b666c5aba181513c13f

SHA512
d0a52254c8d3b3cfc573367754a795389063d7f65c735f5b587edf80be8c36495d00beee3f25b5b45a2702cec9136061fd35186ab2ec1e43934d093bc2afdc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1300-2-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/1300-1-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/1300-0-0x0000000074552000-0x0000000074553000-memory.dmp

Filesize
4KB

Download
memory/1300-22-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4396-23-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4396-24-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4396-26-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4396-27-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4396-28-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4752-18-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download
memory/4752-8-0x0000000074550000-0x0000000074B01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads