Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 02:53

General

  • Target

    c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe

  • Size

    78KB

  • MD5

    9d797a1044fe51eac1ef33b2ff4fc011

  • SHA1

    8b83c7bfdcd4b7ab6bcf9bf7851b35dee476e68d

  • SHA256

    c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8

  • SHA512

    008a3c5425b53001455255bf0cfd420e7eda02441f1d5be022980cfc3a20831a4b349b02389a6ab1e683a3efb238cff4ddc17b2dc89973565b8d7f1df8d8a784

  • SSDEEP

    1536:vhHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtW9/a1FaF:5HYI3ZAtWDDILJLovbicqOq3o+nW9/xF

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
    "C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2zcsinn.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC439.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3048
    • C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp

    Filesize

    1KB

    MD5

    b2f8677424c347d7d36e93b49d0905ae

    SHA1

    ae153d7d4417c2c544eb91693fe7ff047d420e5f

    SHA256

    2a7552a29f23cabd0815838618242da1484b0cf836846ec56a6e10011d87e54b

    SHA512

    a7fbbf5791e2cb073960f6532af095c0f09bc53d22ef37fac7f6e44df6b46eba86bd589e6db262ca6abe9f9c91abc5674b1c8400739a60313288e1a8ce3d1dbc

  • C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe

    Filesize

    78KB

    MD5

    d4402aa85ca76e3ea2c1cfe916f45d22

    SHA1

    51a480417a6a7f3bc47503b2de937997878cde2d

    SHA256

    d612cd6b7cc4d8ffa3935c8d481de2b790a0180f47622a429f3b0f58215435c6

    SHA512

    7ed3568bb60d32873e36b3d62b2b1e797c88eb97e71300805264d2e1fd332a9c3daf2715610886cab5997be5c019eb9d217158ba663e6a3baab1fbd2816b492b

  • C:\Users\Admin\AppData\Local\Temp\v2zcsinn.0.vb

    Filesize

    15KB

    MD5

    5a7af21eb3ff3384c9f0fce2f09d3d47

    SHA1

    50919fffaba5c6715f650dd692b870067cdd518f

    SHA256

    6b6cf73ecf499c57263752ec5569abf887be9c76dace6aca8ada2c85ae091d68

    SHA512

    f17695eaaf86400a0527296b2d9538593d81214b4c2029e5957851dbdb79cc65f784b03dad8d721d1a4893e59194c01eb4f37ecdbc5aca2ba683a8ab996c97a7

  • C:\Users\Admin\AppData\Local\Temp\v2zcsinn.cmdline

    Filesize

    266B

    MD5

    4eee9b49e5ad80448b8cedc6c186abfd

    SHA1

    99484596aae47b36a3f8531f17e6fa65cc24dcf8

    SHA256

    e94b67c4db6fc9abcafd41b43eea03ce896189b1ea562a85562542eb8246a6c1

    SHA512

    235d6e96d3a1a34d8a225951360f6aa7cbf4b18a67ae5bc62603dfb2de072eb711656d68a9e8b8a3b85e49aa68be395243ee8fe282ea06936dbf0aec544ad031

  • C:\Users\Admin\AppData\Local\Temp\vbcC439.tmp

    Filesize

    660B

    MD5

    ab2170ed32c17735f09be0be220f40c5

    SHA1

    2638d57cbbe5fee970ecc0a9aae5db5edd5c937d

    SHA256

    c76b7e35865ed9f237b9ba106309abef2b39b4aa9ba43c788c577bf452353d3a

    SHA512

    86df735cbd2ba19ef6e21a34e12013c51ed0705506992e6af550dd52ce8dd7fe3ad22c0e375639fd15c2d29ed7c1c0b208c602c2cb6da38a607ab69dc1b6a1ea

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

  • memory/1848-9-0x00000000747A0000-0x0000000074D4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1848-18-0x00000000747A0000-0x0000000074D4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-0-0x00000000747A1000-0x00000000747A2000-memory.dmp

    Filesize

    4KB

  • memory/2204-1-0x00000000747A0000-0x0000000074D4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-2-0x00000000747A0000-0x0000000074D4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-24-0x00000000747A0000-0x0000000074D4B000-memory.dmp

    Filesize

    5.7MB