Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
172dfff0948ffd964f872b14eb7f6913.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
172dfff0948ffd964f872b14eb7f6913.exe
Resource
win10v2004-20231215-en
General
-
Target
172dfff0948ffd964f872b14eb7f6913.exe
-
Size
78KB
-
MD5
172dfff0948ffd964f872b14eb7f6913
-
SHA1
46210c7ff6e8c9478ab56a2b6fc51abeb884e99a
-
SHA256
89ae493ed4bd8d89f3c014ddb2047be9a96c81b63039c9de35e115424ab32940
-
SHA512
dcb45cc02b1d2b501ae687362eacdf9186d7872a4d24c62143f7310a93327a0bcde420ad303be80ce3d567cd2426b2673bd26f990ff714ff4a0b53397ed8b668
-
SSDEEP
1536:zWV58/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6F9/U1l/:zWV58en7N041Qqhgt9/M
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 172dfff0948ffd964f872b14eb7f6913.exe -
Deletes itself 1 IoCs
pid Process 3224 tmp47C7.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3224 tmp47C7.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp47C7.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3508 172dfff0948ffd964f872b14eb7f6913.exe Token: SeDebugPrivilege 3224 tmp47C7.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3508 wrote to memory of 3740 3508 172dfff0948ffd964f872b14eb7f6913.exe 23 PID 3508 wrote to memory of 3740 3508 172dfff0948ffd964f872b14eb7f6913.exe 23 PID 3508 wrote to memory of 3740 3508 172dfff0948ffd964f872b14eb7f6913.exe 23 PID 3740 wrote to memory of 320 3740 vbc.exe 22 PID 3740 wrote to memory of 320 3740 vbc.exe 22 PID 3740 wrote to memory of 320 3740 vbc.exe 22 PID 3508 wrote to memory of 3224 3508 172dfff0948ffd964f872b14eb7f6913.exe 21 PID 3508 wrote to memory of 3224 3508 172dfff0948ffd964f872b14eb7f6913.exe 21 PID 3508 wrote to memory of 3224 3508 172dfff0948ffd964f872b14eb7f6913.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\172dfff0948ffd964f872b14eb7f6913.exe"C:\Users\Admin\AppData\Local\Temp\172dfff0948ffd964f872b14eb7f6913.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\tmp47C7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp47C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\172dfff0948ffd964f872b14eb7f6913.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xateqnii.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3740
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4863.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E46F261E4984DBB814B84F8C2C458A8.TMP"1⤵PID:320