Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 01:16
Static task
static1
Behavioral task
behavioral1
Sample
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Resource
win10v2004-20240802-en
General
-
Target
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
-
Size
78KB
-
MD5
864d51ebd98fba435ff1c57c5696c760
-
SHA1
9420d56ef6166d7ab5306904e580d31d68d6aee0
-
SHA256
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611
-
SHA512
3e8afbacf784128e168e3929f4f4a937276dd3e7098f46e2c44ff73b1232ef8b65ed0567285f65fb64b297549f9247deaf5234b3df0f4fbb9ea522f3294ebe72
-
SSDEEP
1536:bmCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLa9/J1zk:KCH/3ZAtWDDILJLovbicqOq3o+nLa9/c
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe -
Deletes itself 1 IoCs
pid Process 2892 tmpBD26.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2892 tmpBD26.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpBD26.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBD26.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe Token: SeDebugPrivilege 2892 tmpBD26.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4716 wrote to memory of 216 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 82 PID 4716 wrote to memory of 216 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 82 PID 4716 wrote to memory of 216 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 82 PID 216 wrote to memory of 3652 216 vbc.exe 84 PID 216 wrote to memory of 3652 216 vbc.exe 84 PID 216 wrote to memory of 3652 216 vbc.exe 84 PID 4716 wrote to memory of 2892 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 85 PID 4716 wrote to memory of 2892 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 85 PID 4716 wrote to memory of 2892 4716 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mhuhtecn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc929BCA7759164E1792C83A592A5A7A2D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3652
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBD26.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBD26.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d71bdbab6c625177773116ba42212db0
SHA10511852ece6bddcaa2dabea22ecbba1cb9998c96
SHA2569d64939f55efec2f19b8c55a81f391ec022b9c46e9cbeb925a630f9c62786fd1
SHA51268d5610a14b5998b4737c255c3034c50c2146d24d7782906d7516c2f16110b80059b6ed3a01499ec4dde14f10e0f1638eb580634ed1a34b78316d4f8a85d66cc
-
Filesize
15KB
MD5443aeb7ef5679fd3b1c4f298676f589d
SHA1b44b06377e5343cc400840d2c040d22c9587b5db
SHA256a6e27b641ee2faa8387ef701759af6cd6d43537ccf9f086f0d63cc92df2bc301
SHA512da6507e6c9c4d72edfe5b240c06c5d156b6bcbb47aa83cff9f6d783da52cb89a92d65fac31eb7178161357a3fb709c68586c424da821a91dce851c86c21afa7c
-
Filesize
266B
MD5fecc18a9a0c995d29bf7f6d333f8c3bf
SHA1cb01348dbe9ebb200639cb6512eacf3e42812b74
SHA256718b45d420863b98ec51c203d39d79447770dbda972ef848c939b838d05ec984
SHA512ea15339d67a8f0b8d302468d2cc7e93103b5dc90d34bf7a91fcb5753553a27f0e30b51d6a3b1c7e12f02d883808a96e3649151f81f850b4b4172cd3d8a7414d2
-
Filesize
78KB
MD5063949af7445f73e4e9448d8e26fe303
SHA1fb61b24c033c92962e08d4abbca94b0c24cb88b5
SHA2561e152a3f303f554a18966e0d15e4507903fb60404ddd1025762506d37f47d172
SHA512a22599b51b4e2141c8c1b47cfe9b547324447c1db30ab497247097cdce1748813bb0225c5e3791934f8acd5479992988278b0acfbef163119b77fe77a9fdefe8
-
Filesize
660B
MD5444e378511d5b5077e50d50f0ed15ad2
SHA16711707e6f03f1d1d94b6778f8f2f9e630351132
SHA2569bfa895fe22a1828424ae976f1c2457390475d41dfd90ed1694e0cf32cb07115
SHA512f23b13ebe0634300f2a0ce4771e12cf065aa917e91287e713a87c52bd4ecf265664e66a9bb2122a450775e1122ae26d00c2ad232dc5cfbb994d5edd996c07679
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c