metamorpherrat | 62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe

General

Target

62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe
Size

78KB
MD5

303f3852e9c33033c8483c618666d6fa
SHA1

2d3753a342d4e4edb2c27ecb08fc1d84a7998b97
SHA256

62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe
SHA512

d25a8df50ce8165528b9f7918d7eb5cf80d55f24faa25cbae4e9fa2dedd9b7e7f71be1d30c25a743c78275e2aa75a587ea163271633153d2a7ea2aa19ebd411a
SSDEEP

1536:FWV5jULT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6a9/L1ZG:FWV5jiE2EwR4uY41HyvYi9/a

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe

Deletes itself 1 IoCs

pid	Process
1904	tmpE659.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1904	tmpE659.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpE659.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE659.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe
Token: SeDebugPrivilege	1904	tmpE659.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3980	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe	87
PID 1304 wrote to memory of 3980	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe	87
PID 1304 wrote to memory of 3980	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe	87
PID 3980 wrote to memory of 4884	3980	vbc.exe	89
PID 3980 wrote to memory of 4884	3980	vbc.exe	89
PID 3980 wrote to memory of 4884	3980	vbc.exe	89
PID 1304 wrote to memory of 1904	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe	92
PID 1304 wrote to memory of 1904	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe	92
PID 1304 wrote to memory of 1904	1304	62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe	92

C:\Users\Admin\AppData\Local\Temp\62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe
"C:\Users\Admin\AppData\Local\Temp\62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a2wutzcr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE762.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7092567D109442229B3DAFF476AF9753.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62e2081e605263a3a9db323f34514fcc0e873262abbe8dc62c5b03d4d770eebe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE762.tmp

Filesize
1KB

MD5
7998c75fa5ba986b7c2193ad62a04d68

SHA1
7b4c573aaadde257c7b5dcdb8ecee529ba149b09

SHA256
a8c281b3850af67751924b48035a1265d310916905d33d37db831b8969968a37

SHA512
e255679c2e7f7d0c4ddfa17350d79a113a6bceec0072c80fae1dc1587a39431918f0b2316eed97ecb1fd16f48d64088c31714c0c5a761064aeab9b2d4332c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2wutzcr.0.vb

Filesize
14KB

MD5
f94544e6652ddd7d35fec65e05d79d41

SHA1
eac3ca3f285c09eb6491788491e7ef4f5bcc93c4

SHA256
feb9146138c81051a34fb97a3d6a19b46ca3f4aed494db82d51f86fa1d8d3561

SHA512
166aebbcc838dff7245867b213db16f3f750f9ce79b7fbdfabb1d25fbefee12475b4859d27f042dac4e1bbbda23fa6cf2f3327e8e544f613da242d089b3bea47

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2wutzcr.cmdline

Filesize
266B

MD5
3ed05fa1b9d6fa28a11aa2e6dc3282a7

SHA1
94b1c67a919ac66f68ffc28fbdd005dc469750f6

SHA256
aa7d98ebe2f84ebd298973200e1cc285ee8b235b1f7787ad6e3bb63596cd5e0b

SHA512
319cba160513bd37e2c592eb3a24c27ac0b24b4ded7d0edba45cc8fac2dae4ca05d1d3121411cabfbb3a7d6dc8165be4cf9e66161f67ee85da635d6960049c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp.exe

Filesize
78KB

MD5
baa6aac1dcbd8d24d92138de2c2ca525

SHA1
ab0d9052e54202aa55cfdc98ac6e5f9511f1d4c6

SHA256
eb4da4dd52f347c30609aca8d7018d95c5707fe0db3ffc7de451ac958d40204d

SHA512
ea2744649aee59537326578c239adb29766e3ebe8012042dcd8f63ef218cee3edeb80bce03c5b3f4a0901d24856cc02d0260da32385fbc0ae0285a98c4e632a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7092567D109442229B3DAFF476AF9753.TMP

Filesize
660B

MD5
44a9ab7045890bce04501f2583da7aa7

SHA1
92d3bc024b43186f86aec2a222016d3c197c1b79

SHA256
e8d11751230a9cfcbfe9ba70ec204c91c43fb8e7ed15a0c8170e9d24f0ec0d9f

SHA512
736e5b563d19b702485a3898423c18db59cbe9de3e4b07000dac6a30c341ce14a8d46db582faf353df9b44983bf583045e87bf801089bb11ab48acd1e6c4df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1304-22-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1304-2-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1304-1-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1304-0-0x0000000074612000-0x0000000074613000-memory.dmp

Filesize
4KB

Download
memory/1904-23-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-24-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-26-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-27-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-28-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/3980-8-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/3980-18-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads