Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 13:13
Static task
static1
Behavioral task
behavioral1
Sample
4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe
Resource
win10v2004-20240802-en
General
-
Target
4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe
-
Size
78KB
-
MD5
f087f48ca7dbe075208a9857f2da67f0
-
SHA1
eba1417348a65af6b5c950e8b7c632ecdbf2cd6b
-
SHA256
4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27
-
SHA512
34ae56909de0f66a9b2a7416456970ee5624dfc940958f986a85074c8c9fdcac8d7e5cc6d467279dc6479e3fd4e1d49f6d8591b82688a2395626e327138b8334
-
SSDEEP
1536:be58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6g9/0xE21J7:be58/SyRxvhTzXPvCbW2UY9/0
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe -
Executes dropped EXE 1 IoCs
pid Process 4264 tmp6DCD.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp6DCD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6DCD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe Token: SeDebugPrivilege 4264 tmp6DCD.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3116 wrote to memory of 1800 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe 82 PID 3116 wrote to memory of 1800 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe 82 PID 3116 wrote to memory of 1800 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe 82 PID 1800 wrote to memory of 1984 1800 vbc.exe 84 PID 1800 wrote to memory of 1984 1800 vbc.exe 84 PID 1800 wrote to memory of 1984 1800 vbc.exe 84 PID 3116 wrote to memory of 4264 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe 85 PID 3116 wrote to memory of 4264 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe 85 PID 3116 wrote to memory of 4264 3116 4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe"C:\Users\Admin\AppData\Local\Temp\4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w45q8orv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2A065418F314F01883E99729DDB41.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6DCD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6DCD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f6123bee202f302bada336f2653a387103bdd1fe60ee5bdd7af60096fe09e27N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee1e8568bd0b3804c9451b0280e30065
SHA1f7d97b76cf36f576eaf22b60d34af5d1c093cbe0
SHA25628144d172aff3bbe1c843d76e7b39b0793bb64c987b0e71b3a5adb629ca60809
SHA512c516cdc6d318845abb5f30a7dc2b65fd100ef82771979c39aa745264d240ff626e268f3bf71d3bcbb545d14e628762be0cd5e84da9bcbf749b831a4b6f660ca2
-
Filesize
78KB
MD584c33671e35f765b52df3ea6bb3b57c6
SHA17c007a27d3e0abfe8615fdf5fad4d49119c4a4cb
SHA256949ad0676f6bed68285b9afd4a1a53026d4634052eb34399a9ebd7858281328f
SHA5120a364542917f8ba2d7e8e2baf07eed9ebfdcc45c6a3d9b12101579d120c4f5368e689f0957fb104d0b0663caa46a8df9bc9a502cdddf53c5ae8376a1187e9d00
-
Filesize
660B
MD50323e42f8d008b02986cf558babee5d5
SHA11f6c6ef634c397804415a27bfdbb04c7c0d56e26
SHA2562f171f15f336e21c6aa47cd2b4b3b826007742db7db22ed33f86e71a1a8a225f
SHA512a70a2127a06824c562c98e0fadae6b6497061f6fec99f3c6468d2b5e35b55853c9cf4ba4483fc8f636301bccd239cd5610e950d53171cb816f3fd6db83f1143e
-
Filesize
14KB
MD501e236147198982769267c953e6197a0
SHA16d7e1664a94b9a776f3ecc92897a81facf962f0e
SHA256be8e82c5742c6245b42f2c8cb4a0759518e51eca0163e358e00088b553bcb3f2
SHA512a9173b6b6a843cf92f67e5387cc26161e8f0a7516cb198fb55d8c90aebf31434880d97b860ea311dfbbcdcf5ce68ef077add6b35c2da2f275d160ee34084ecd5
-
Filesize
266B
MD507da96d11b2c26916bef8876815167ac
SHA1891e7ad771ab8cae629336aeb3c09ecdc05abb3e
SHA256e37383052ff0f58c34292c89e69ab32be327f3b0baf405c631b777c286605aee
SHA5123d4f42c9d9907ac4720dc3c7467588fa670ed9463904fa971b10a5d255938605a1385b8ce89f0d1e6fd64b41f52e43e02646d88fcce8f1fe5831f3bac89f2d6b
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c