Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/07/2024, 02:53
Static task
static1
Behavioral task
behavioral1
Sample
c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
Resource
win10v2004-20240709-en
General
-
Target
c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
-
Size
78KB
-
MD5
9d797a1044fe51eac1ef33b2ff4fc011
-
SHA1
8b83c7bfdcd4b7ab6bcf9bf7851b35dee476e68d
-
SHA256
c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8
-
SHA512
008a3c5425b53001455255bf0cfd420e7eda02441f1d5be022980cfc3a20831a4b349b02389a6ab1e683a3efb238cff4ddc17b2dc89973565b8d7f1df8d8a784
-
SSDEEP
1536:vhHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtW9/a1FaF:5HYI3ZAtWDDILJLovbicqOq3o+nW9/xF
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 856 tmpC3BC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpC3BC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC3BC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe Token: SeDebugPrivilege 856 tmpC3BC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1848 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 30 PID 2204 wrote to memory of 1848 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 30 PID 2204 wrote to memory of 1848 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 30 PID 2204 wrote to memory of 1848 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 30 PID 1848 wrote to memory of 3048 1848 vbc.exe 32 PID 1848 wrote to memory of 3048 1848 vbc.exe 32 PID 1848 wrote to memory of 3048 1848 vbc.exe 32 PID 1848 wrote to memory of 3048 1848 vbc.exe 32 PID 2204 wrote to memory of 856 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 33 PID 2204 wrote to memory of 856 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 33 PID 2204 wrote to memory of 856 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 33 PID 2204 wrote to memory of 856 2204 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2zcsinn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC439.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b2f8677424c347d7d36e93b49d0905ae
SHA1ae153d7d4417c2c544eb91693fe7ff047d420e5f
SHA2562a7552a29f23cabd0815838618242da1484b0cf836846ec56a6e10011d87e54b
SHA512a7fbbf5791e2cb073960f6532af095c0f09bc53d22ef37fac7f6e44df6b46eba86bd589e6db262ca6abe9f9c91abc5674b1c8400739a60313288e1a8ce3d1dbc
-
Filesize
78KB
MD5d4402aa85ca76e3ea2c1cfe916f45d22
SHA151a480417a6a7f3bc47503b2de937997878cde2d
SHA256d612cd6b7cc4d8ffa3935c8d481de2b790a0180f47622a429f3b0f58215435c6
SHA5127ed3568bb60d32873e36b3d62b2b1e797c88eb97e71300805264d2e1fd332a9c3daf2715610886cab5997be5c019eb9d217158ba663e6a3baab1fbd2816b492b
-
Filesize
15KB
MD55a7af21eb3ff3384c9f0fce2f09d3d47
SHA150919fffaba5c6715f650dd692b870067cdd518f
SHA2566b6cf73ecf499c57263752ec5569abf887be9c76dace6aca8ada2c85ae091d68
SHA512f17695eaaf86400a0527296b2d9538593d81214b4c2029e5957851dbdb79cc65f784b03dad8d721d1a4893e59194c01eb4f37ecdbc5aca2ba683a8ab996c97a7
-
Filesize
266B
MD54eee9b49e5ad80448b8cedc6c186abfd
SHA199484596aae47b36a3f8531f17e6fa65cc24dcf8
SHA256e94b67c4db6fc9abcafd41b43eea03ce896189b1ea562a85562542eb8246a6c1
SHA512235d6e96d3a1a34d8a225951360f6aa7cbf4b18a67ae5bc62603dfb2de072eb711656d68a9e8b8a3b85e49aa68be395243ee8fe282ea06936dbf0aec544ad031
-
Filesize
660B
MD5ab2170ed32c17735f09be0be220f40c5
SHA12638d57cbbe5fee970ecc0a9aae5db5edd5c937d
SHA256c76b7e35865ed9f237b9ba106309abef2b39b4aa9ba43c788c577bf452353d3a
SHA51286df735cbd2ba19ef6e21a34e12013c51ed0705506992e6af550dd52ce8dd7fe3ad22c0e375639fd15c2d29ed7c1c0b208c602c2cb6da38a607ab69dc1b6a1ea
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c