Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 14:29 UTC

General

  • Target

    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe

  • Size

    13.0MB

  • MD5

    464a26d870a09b53444eecd6a6edd491

  • SHA1

    ca3d79b881c69b1e06999f3564c12c1cf4c1e2d8

  • SHA256

    65c921b766b02d9a510331260c2145bf1368f422e4a952652ebb828874c2743d

  • SHA512

    b2a4283dc75e259096f796a1362588e3ce5c72be91d90e2daa32b70cc5035ce1f7a5d7aa6340ef90aca9c2d83b86654086a6391f18443c7a7890a2f53e7d7916

  • SSDEEP

    196608:tnC20D8MFxKhdj9O0AoHWrXoLGI+zNLdmODAH06tWnJ1ebrqNL2R7wjP:tnA8ywhdRvbWr49hFH06ttbrqNiwL

Score
1/10

Malware Config

Signatures

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe"
    1⤵
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2848

Network

  • flag-us
    DNS
    wsgeoip.pdf-suite.com
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    wsgeoip.pdf-suite.com
    IN A
    Response
    wsgeoip.pdf-suite.com
    IN A
    172.67.158.191
    wsgeoip.pdf-suite.com
    IN A
    104.21.57.28
  • flag-us
    POST
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    172.67.158.191:443
    Request
    POST /ipservice.asmx HTTP/1.1
    Accept: text/*
    SOAPAction: "http://upclick.com/GetLocationInfo"
    Content-Type: text/xml; charset=utf-8
    User-Agent: VCSoapClient
    Host: wsgeoip.pdf-suite.com
    Content-Length: 346
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Mon, 24 Jun 2024 14:29:31 GMT
    Content-Type: text/xml; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    strict-transport-security: max-age=31536000; includeSubDomains
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z2fCjx7zZ7N0JAcov9ysEOyl0fcrw1inwYsXMYdwvLtORAs4kc39ecv%2FUP69d%2BcOySZQhS0qCS8Ts7XFaLppiMkSmXrHTqrf%2F3PisgeiY6x365mDavlmq0FBlnjTeDHpwRA%2BzabGihI%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 898d6913c9ca88b3-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    23.63.101.171
    a1952.dscq.akamai.net
    IN A
    23.63.101.153
  • flag-nl
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    23.63.101.171:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Mon, 24 Jun 2024 15:29:29 GMT
    Date: Mon, 24 Jun 2024 14:29:29 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    2.21.189.233
  • flag-us
    DNS
    x2.c.lencr.org
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    23.55.97.11
  • flag-be
    GET
    http://x2.c.lencr.org/
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    23.55.97.11:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
    ETag: "65ca969f-12b"
    Cache-Control: max-age=3600
    Expires: Mon, 24 Jun 2024 15:29:30 GMT
    Date: Mon, 24 Jun 2024 14:29:30 GMT
    Content-Length: 299
    Connection: keep-alive
  • flag-us
    DNS
    api-updateservice.pdf-suite.com
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    api-updateservice.pdf-suite.com
    IN A
    Response
    api-updateservice.pdf-suite.com
    IN A
    104.21.57.28
    api-updateservice.pdf-suite.com
    IN A
    172.67.158.191
  • flag-us
    POST
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    Remote address:
    104.21.57.28:443
    Request
    POST /api/v1/products/info HTTP/1.1
    Host: api-updateservice.pdf-suite.com
    User-Agent: PDF Suite 20 Installer 20.0.10.3187
    Connection: TE
    TE: gzip
    Accept-Encoding: deflate, gzip
    Accept: application/json
    Content-Type: application/json
    Content-Length: 670
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Mon, 24 Jun 2024 14:29:34 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    strict-transport-security: max-age=31536000; includeSubDomains
    Content-Encoding: gzip
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0fQ234GnXf7v2kvAnxPLRsun0S84pKY6fKxKhHJ9eInR8m4TiSVOA%2FTV2NMkS5moUwTZJlLOEsqphopbI6HHR8MY2Vx2tqckXNy0hilGRQCkazsgnRL1pCnysFQpwFvgbAbzQbVYnROhNntqgcqtR9K"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 898d69278831944e-LHR
    alt-svc: h3=":443"; ma=86400
  • 172.67.158.191:443
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    tls, http
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    1.5kB
    6.7kB
    12
    12

    HTTP Request

    POST https://wsgeoip.pdf-suite.com/ipservice.asmx

    HTTP Response

    200
  • 23.63.101.171:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    369 B
    1.6kB
    5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 23.55.97.11:80
    http://x2.c.lencr.org/
    http
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    350 B
    1.3kB
    5
    4

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 127.0.0.1:49287
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
  • 104.21.57.28:443
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    tls, http
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    1.9kB
    7.0kB
    12
    14

    HTTP Request

    POST https://api-updateservice.pdf-suite.com/api/v1/products/info

    HTTP Response

    200
  • 8.8.8.8:53
    wsgeoip.pdf-suite.com
    dns
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    67 B
    99 B
    1
    1

    DNS Request

    wsgeoip.pdf-suite.com

    DNS Response

    172.67.158.191
    104.21.57.28

  • 8.8.8.8:53
    apps.identrust.com
    dns
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    64 B
    165 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    23.63.101.171
    23.63.101.153

  • 8.8.8.8:53
    www.microsoft.com
    dns
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    2.21.189.233

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    60 B
    165 B
    1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    23.55.97.11

  • 8.8.8.8:53
    api-updateservice.pdf-suite.com
    dns
    2024-06-24_464a26d870a09b53444eecd6a6edd491_magniber_metamorfo.exe
    77 B
    109 B
    1
    1

    DNS Request

    api-updateservice.pdf-suite.com

    DNS Response

    104.21.57.28
    172.67.158.191

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e967104554edac122991467aae1375b2

    SHA1

    0d8ca5029ff5ba0f702e1f7ff614d31b5233bf23

    SHA256

    a191e68b4ef931e471b5cec73f44eed4c7c04c13c56115a699018b2029141870

    SHA512

    8b359ba61efc7d6fe9e3660bd32cf3f4d8ed95b7c5c4a0585d5b2b50a0f0739e298ab22ae403382b862b60504ad3e6b0ad40b18847dbd9020c96d0b5d0c619ea

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ccc4a2dabddafd3ffd4d21e2d6158009

    SHA1

    f72920a60752c7abafb65d6e5a8a41efcfac297b

    SHA256

    80e5ce3f2b4ce3f35c4a0543cd62effd39562ab9fb39a9a0c796f6f277fcd415

    SHA512

    40d1c88aafc27a60753b77fe357358a2c856f84ac7eb368624a97d3468fe1513ab792936bea87ab5c7077494a9d74477539b757d47378ce6b49a60b461521fe2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    2f44c08b9b7779c69eb0da463f80f3ad

    SHA1

    58c4b9f6612250ecee3998d3a622654c42a1968b

    SHA256

    c8782ec95e0cea393ae06ce6e2124f13aeaf0a1c3a6620aae4362a85b51676f7

    SHA512

    984cf2e41dd70a6395aeb1ea777a48447ffb0e6f0a96eb60fc20068940a9ee850aa90d0a045b921dd8a2b0459eb49ecc321aef9775f7dd26786d1cb02ccaac1d

  • C:\Users\Admin\AppData\Local\Temp\TarEA6.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.