Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2024, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
86708573785c3eaff0a6a5295bdb2b61.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
86708573785c3eaff0a6a5295bdb2b61.exe
Resource
win10v2004-20231215-en
General
-
Target
86708573785c3eaff0a6a5295bdb2b61.exe
-
Size
78KB
-
MD5
86708573785c3eaff0a6a5295bdb2b61
-
SHA1
218eb32d41e4506c327c47e21e1ded982fc89db4
-
SHA256
a32ee6a1016da3fa161567b7c6076f04349bbf68dd8d0121216dc87d945a8291
-
SHA512
932e1ef0b38eebad4ecc355a52350c7f998262af132817c0a27833e961eeb6b6602cb6acedb0dd2cc4bca21d5bb6e0935a63ea2f7db7858db07176616b7f6c98
-
SSDEEP
1536:sCHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQten9/S1/p:sCHFon3xSyRxvY3md+dWWZyen9/y
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 86708573785c3eaff0a6a5295bdb2b61.exe -
Deletes itself 1 IoCs
pid Process 4700 tmp43FE.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4700 tmp43FE.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp43FE.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4524 86708573785c3eaff0a6a5295bdb2b61.exe Token: SeDebugPrivilege 4700 tmp43FE.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4524 wrote to memory of 2444 4524 86708573785c3eaff0a6a5295bdb2b61.exe 84 PID 4524 wrote to memory of 2444 4524 86708573785c3eaff0a6a5295bdb2b61.exe 84 PID 4524 wrote to memory of 2444 4524 86708573785c3eaff0a6a5295bdb2b61.exe 84 PID 2444 wrote to memory of 2908 2444 vbc.exe 86 PID 2444 wrote to memory of 2908 2444 vbc.exe 86 PID 2444 wrote to memory of 2908 2444 vbc.exe 86 PID 4524 wrote to memory of 4700 4524 86708573785c3eaff0a6a5295bdb2b61.exe 87 PID 4524 wrote to memory of 4700 4524 86708573785c3eaff0a6a5295bdb2b61.exe 87 PID 4524 wrote to memory of 4700 4524 86708573785c3eaff0a6a5295bdb2b61.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe"C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jxlq9bol.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES448B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53550D69623140D580B4D16B1DAB7636.TMP"3⤵PID:2908
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp43FE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp43FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD513b5a2dd2bbf427c30e365cf26cd3078
SHA1f543e0bde9b72b14b8b88f6f0184985f5bb5f25a
SHA256b4b47886a32ed55f8f23c043ac250fe449d4d474dd6a04de5a06d47f2738e343
SHA5127343f1d7ad73918e8df1c1c9854ffc7ee81bb73b1716bd8075229231253f0af93f9ae22d0bd588341df3225c2241c78ebbc003ce7f2227d7d30fae24608a18dd
-
Filesize
15KB
MD59bebf45d68ddb6b94c8d20eaf49ce3b8
SHA1a484d102139ab20ddaedda8044f3a1151b68965d
SHA256347653b0912c17c7c40d3201ead05c7dd31e1b88ba635a5525644b16f3e52d1c
SHA512f5a4f4dd8ce4130d8a55e632e7020b4c6232f8be99446c5e376c7e6b6a3ea382f1b7d2ee3b4688dd9985ee4aabe8d1a7a184dddb3adb0c303b12467a119c63a1
-
Filesize
266B
MD516e4be26230cfa24da75ccdc56345bd9
SHA1c48d767337e7cb67d9a86673d8c28268bdb757a7
SHA256d3df82df761531ad82d231095e92df1097a5fcf6aaabf6ec5b5a6aa78bf6eb1c
SHA512acdd1c2ca7d42fba8c67cfe542b7d9fb26d6cbda5b042b2aa527474ed33e845ac5beb02a1ab679080c38d6f595910c4f5b559c53a279230d36ead532bc99a829
-
Filesize
78KB
MD550eb353e91e24c969915a1f2c983c4b7
SHA137fa882048f55b365b3c51261a8c5393d659ba33
SHA2560997e3f461654066d46504a04dafa1f1807ec5454df89d220e205db5c887213d
SHA512e1694ec615612889daf5261234757067a617756e8278c328f9b40620a13bb493693fc77090c8b8a65a48373bfc1d9b9670db442e18259075a0871dd45666e74e
-
Filesize
660B
MD5cfea2429a8990af4d9b871e35cdfcdba
SHA173bb17aa55f106b0c60e31082b3b65be0da9a6e5
SHA25648ac4a3d4fe68a01c4c86a414c0725ca27bfc571313ca32bc4d28d7acc310e6f
SHA512ffc75a5eb0e8d686bb0c7f7dcdb322ded870a8470ba720a6472a387034ea57f42487eade4fc7f3bc9eeb7317d49551339caff0876d03f842610670de9a372e6c
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107