Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 11:31

General

  • Target

    172dfff0948ffd964f872b14eb7f6913.exe

  • Size

    78KB

  • MD5

    172dfff0948ffd964f872b14eb7f6913

  • SHA1

    46210c7ff6e8c9478ab56a2b6fc51abeb884e99a

  • SHA256

    89ae493ed4bd8d89f3c014ddb2047be9a96c81b63039c9de35e115424ab32940

  • SHA512

    dcb45cc02b1d2b501ae687362eacdf9186d7872a4d24c62143f7310a93327a0bcde420ad303be80ce3d567cd2426b2673bd26f990ff714ff4a0b53397ed8b668

  • SSDEEP

    1536:zWV58/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6F9/U1l/:zWV58en7N041Qqhgt9/M

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\172dfff0948ffd964f872b14eb7f6913.exe
    "C:\Users\Admin\AppData\Local\Temp\172dfff0948ffd964f872b14eb7f6913.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Users\Admin\AppData\Local\Temp\tmp47C7.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp47C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\172dfff0948ffd964f872b14eb7f6913.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xateqnii.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3740
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4863.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E46F261E4984DBB814B84F8C2C458A8.TMP"
    1⤵
      PID:320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3224-22-0x0000000074A50000-0x0000000075001000-memory.dmp

      Filesize

      5.7MB

    • memory/3224-23-0x0000000000F30000-0x0000000000F40000-memory.dmp

      Filesize

      64KB

    • memory/3224-24-0x0000000074A50000-0x0000000075001000-memory.dmp

      Filesize

      5.7MB

    • memory/3224-26-0x0000000000F30000-0x0000000000F40000-memory.dmp

      Filesize

      64KB

    • memory/3224-27-0x0000000074A50000-0x0000000075001000-memory.dmp

      Filesize

      5.7MB

    • memory/3224-28-0x0000000000F30000-0x0000000000F40000-memory.dmp

      Filesize

      64KB

    • memory/3224-29-0x0000000000F30000-0x0000000000F40000-memory.dmp

      Filesize

      64KB

    • memory/3508-0-0x0000000074A50000-0x0000000075001000-memory.dmp

      Filesize

      5.7MB

    • memory/3508-2-0x0000000074A50000-0x0000000075001000-memory.dmp

      Filesize

      5.7MB

    • memory/3508-1-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

      Filesize

      64KB

    • memory/3508-21-0x0000000074A50000-0x0000000075001000-memory.dmp

      Filesize

      5.7MB

    • memory/3740-8-0x00000000023D0000-0x00000000023E0000-memory.dmp

      Filesize

      64KB