Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Resource
win10v2004-20240910-en
General
-
Target
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
-
Size
78KB
-
MD5
864d51ebd98fba435ff1c57c5696c760
-
SHA1
9420d56ef6166d7ab5306904e580d31d68d6aee0
-
SHA256
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611
-
SHA512
3e8afbacf784128e168e3929f4f4a937276dd3e7098f46e2c44ff73b1232ef8b65ed0567285f65fb64b297549f9247deaf5234b3df0f4fbb9ea522f3294ebe72
-
SSDEEP
1536:bmCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLa9/J1zk:KCH/3ZAtWDDILJLovbicqOq3o+nLa9/c
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe -
Deletes itself 1 IoCs
pid Process 3604 tmpE436.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3604 tmpE436.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpE436.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE436.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe Token: SeDebugPrivilege 3604 tmpE436.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1672 wrote to memory of 4364 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 84 PID 1672 wrote to memory of 4364 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 84 PID 1672 wrote to memory of 4364 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 84 PID 4364 wrote to memory of 1688 4364 vbc.exe 86 PID 4364 wrote to memory of 1688 4364 vbc.exe 86 PID 4364 wrote to memory of 1688 4364 vbc.exe 86 PID 1672 wrote to memory of 3604 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 90 PID 1672 wrote to memory of 3604 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 90 PID 1672 wrote to memory of 3604 1672 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gntetq0o.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC233BAB39A3542F3BD61103AA1A52012.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE436.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE436.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c365190369fd7b7a1d6099dbf91beedb
SHA16e1af1de5f444092a3274592313efae1b6d26d70
SHA2564aa12d209bf799bfc796ae42982a1cf598cb21f987e3417d829706cac61576ce
SHA512c613357cd594905f568a65bc32e2633a5dcdb76989c65c41251dfa3528881ebf4f93b6205c649a5784dc3ac7a9046e49de2ce8d48a9d8dcdf70950ee40b8be82
-
Filesize
15KB
MD5394072c40df45e272090966178e74256
SHA1dded5ab474d276463459d5c68a27c21142f4faea
SHA2567489a28b4e4e869831c93ab8fafe43112f4d21dc36339caa0559720f93938cea
SHA51281c19b7f545477757a6ab337f369d366d78a09b93c076a54a747083d95cb08320405d279bfac9212a03de9bbbd5db3086397da3ce7dbe7aa72b83efeb707a9d7
-
Filesize
266B
MD5dd925124de60767e177f972677f4ba80
SHA1a5880e9e161c8dbde4d96f70279971e775dc97d4
SHA256a735e505f6aee97033b3b54e635ba01705ab642a4f5c1636fa9e4b4f4cf1a076
SHA512343638b4049d2f740b401824bb2731ca547c3d5bb25619a8457b261cadb457f7e4c7646c0d81549bd1ee5fda13154efc950a3b411d415feb8fdeb09fd81a1e69
-
Filesize
78KB
MD5894b6944939db0e4d056016ffdf61804
SHA1624eb5ab11c7d9839e702fe87851e8ed448b3713
SHA25645dd1a70aed0de311f069d2a2c16b458c89195c362e29dd99e777cb49a2b7eee
SHA512a46052845bb78f404d7376c67c85853aafa83f0d1a42a18667a15093273457e10a773fb80818079bc0bbbeff3b553849fdd6cabbd3e4ddea6b52503b250bc9dd
-
Filesize
660B
MD52ee55c409374c71f12e6df2b4cb6e80b
SHA124107e62536b8a9c82912752963e44ec7ef4c3e8
SHA256889ce39606bcd0090f5c88bbbff92dc605a2277fb0e27fcd3b54113335cb1e6a
SHA512577c83753e2f692b417806f24c7dd140f6e8c92855fa9be16e4d8992a33e6804f875393b687b460de535f6b161b516402f06a521ea2062e2b83f88be75f45493
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c