Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24/06/2024, 08:07 UTC
General
-
Target
2024-06-24_1e310f380a19e9255832a1aff13b6952_magniber_metamorfo.exe
-
Size
13.0MB
-
MD5
1e310f380a19e9255832a1aff13b6952
-
SHA1
3d9f5f7953bce4fff2bcc53e5a29e8b854499348
-
SHA256
c85f841fa283581fe2700c53ad8880af6e6d409b77b12d2cc321742400fbec9f
-
SHA512
ddec10289a8dd93e26d8e088c34822e3d21e8745fe2eb4739248334a0c7ddb9a6b8618058bb294b374b1a63bbdc29f504f4a39fed38a57d77341c094ec9741db
-
SSDEEP
196608:4nC20D8MFxKhdj9O0AoHWrXoLGI+zNLdmODAH06tWnJ1ebrqNW2R7ojH:4nA8ywhdRvbWr49hFH06ttbrqNjob
Malware Config
Signatures
-
Modifies registry class 3 IoCs
-
Modifies system certificate store 2 TTPs 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-24_1e310f380a19e9255832a1aff13b6952_magniber_metamorfo.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-24_1e310f380a19e9255832a1aff13b6952_magniber_metamorfo.exe"1⤵
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
-
DNSwsgeoip.pdf-suite.comRemote address:8.8.8.8:53Requestwsgeoip.pdf-suite.comIN AResponsewsgeoip.pdf-suite.comIN A172.67.158.191wsgeoip.pdf-suite.comIN A104.21.57.28 -
POSThttps://wsgeoip.pdf-suite.com/ipservice.asmxRemote address:172.67.158.191:443RequestPOST /ipservice.asmx HTTP/1.1
Accept: text/*
SOAPAction: "http://upclick.com/GetLocationInfo"
Content-Type: text/xml; charset=utf-8
User-Agent: VCSoapClient
Host: wsgeoip.pdf-suite.com
Content-Length: 346
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 24 Jun 2024 08:07:13 GMT
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lNm1gniuK7UaXIbUvCt2VtX66UOmIRHrTp9YvRjUj%2FPXtUgTyPJ8D7s32OTBldj1Llo7p%2BmXMTn%2FTfOZ9UVI9fNNCAB2LHos36GjtEfwLfgYGuJjOt%2FtqVKtfyoCdEwovFeqvJfA0eM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 898b39164aaf48b1-LHR
alt-svc: h3=":443"; ma=86400
-
DNSapps.identrust.comRemote address:8.8.8.8:53Requestapps.identrust.comIN AResponseapps.identrust.comIN CNAMEidentrust.edgesuite.netidentrust.edgesuite.netIN CNAMEa1952.dscq.akamai.neta1952.dscq.akamai.netIN A23.63.101.153a1952.dscq.akamai.netIN A23.63.101.171
-
GEThttp://apps.identrust.com/roots/dstrootcax3.p7cRemote address:23.63.101.153:80RequestGET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
ResponseHTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 24 Jun 2024 09:07:12 GMT
Date: Mon, 24 Jun 2024 08:07:12 GMT
Connection: keep-alive
-
DNSx2.c.lencr.orgRemote address:8.8.8.8:53Requestx2.c.lencr.orgIN AResponsex2.c.lencr.orgIN CNAMEcrl.root-x1.letsencrypt.org.edgekey.netcrl.root-x1.letsencrypt.org.edgekey.netIN CNAMEe8652.dscx.akamaiedge.nete8652.dscx.akamaiedge.netIN A23.55.97.11
-
GEThttp://x2.c.lencr.org/Remote address:23.55.97.11:80RequestGET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x2.c.lencr.org
ResponseHTTP/1.1 200 OK
Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Mon, 24 Jun 2024 09:07:13 GMT
Date: Mon, 24 Jun 2024 08:07:13 GMT
Content-Length: 299
Connection: keep-alive
-
DNSapi-updateservice.pdf-suite.comRemote address:8.8.8.8:53Requestapi-updateservice.pdf-suite.comIN AResponseapi-updateservice.pdf-suite.comIN A104.21.57.28api-updateservice.pdf-suite.comIN A172.67.158.191
-
POSThttps://api-updateservice.pdf-suite.com/api/v1/products/infoRemote address:104.21.57.28:443RequestPOST /api/v1/products/info HTTP/1.1
Host: api-updateservice.pdf-suite.com
User-Agent: PDF Suite 20 Installer 20.0.10.3187
Connection: TE
TE: gzip
Accept-Encoding: deflate, gzip
Accept: application/json
Content-Type: application/json
Content-Length: 564
Expect: 100-continue
ResponseHTTP/1.1 200 OK
Date: Mon, 24 Jun 2024 08:07:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
strict-transport-security: max-age=31536000; includeSubDomains
Content-Encoding: gzip
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zc7bg32fiKNCubP3gzUKa4h%2FsER1ZbjzPDMstIt4YP%2FbjyVOslSPAGhSOzA9SRnj00qyfKEuWz%2FbuenXwwiVkweMs06KNAf%2FxQpLVHO75S33EPE2Aglkf5vGC91f7F2CIYuNk3nY9gfebOfkKpkTG2xX"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 898b392a3fa279be-LHR
alt-svc: h3=":443"; ma=86400
-
172.67.158.191:443https://wsgeoip.pdf-suite.com/ipservice.asmxtls, http
HTTP Request
POST https://wsgeoip.pdf-suite.com/ipservice.asmxHTTP Response
200 -
23.63.101.153:80http://apps.identrust.com/roots/dstrootcax3.p7chttp
HTTP Request
GET http://apps.identrust.com/roots/dstrootcax3.p7cHTTP Response
200 -
23.55.97.11:80http://x2.c.lencr.org/http
HTTP Request
GET http://x2.c.lencr.org/HTTP Response
200 -
104.21.57.28:443https://api-updateservice.pdf-suite.com/api/v1/products/infotls, http
HTTP Request
POST https://api-updateservice.pdf-suite.com/api/v1/products/infoHTTP Response
200 -
127.0.0.1:49278
-
8.8.8.8:53wsgeoip.pdf-suite.comdns
DNS Request
wsgeoip.pdf-suite.com
DNS Response
172.67.158.191104.21.57.28
-
8.8.8.8:53apps.identrust.comdns
DNS Request
apps.identrust.com
DNS Response
23.63.101.15323.63.101.171
-
8.8.8.8:53x2.c.lencr.orgdns
DNS Request
x2.c.lencr.org
DNS Response
23.55.97.11
-
8.8.8.8:53api-updateservice.pdf-suite.comdns
DNS Request
api-updateservice.pdf-suite.com
DNS Response
104.21.57.28172.67.158.191
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
342B
MD5d8768b503858c5f0e1d64b3360664474
SHA1aa2b45aa13ba10b4bbfa78a2239f9c1361bf5e16
SHA2560507898f347f2cc4e910101a9571f82812e44116e64a0c8a16b61e964c4c2dd2
SHA5127011e89ae8a9f75284748eacc8585d0edd71859858aee3b5a39c15417ff26ee876c28044b30ae3208ae9ec8a6eb464a132e78f00eaa7276ec147abb2c2f64e06
-
Filesize
342B
MD5dd9e87fb99fda16ebfbc922d8eb792ae
SHA17848b807f35122363bbcba556a76bb9c8da515c7
SHA256edcb3c72116ffb5a3cc746638b72ee836383439d8627f668c70cb51b4a2f63d8
SHA512359862a0edbbc917a9342270d31e942ae9d07890604306ccab39408f5efb15d022b4b816c87938090cf5b5f82193a1c234e5ba690565d3e50e7914d5ba37960f
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b