Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 14:46
Static task
static1
Behavioral task
behavioral1
Sample
7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
Resource
win10v2004-20240802-en
General
-
Target
7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe
-
Size
78KB
-
MD5
0fb564b3867f161ba694c2681545f6a0
-
SHA1
3deb46295458313f827742a44836557e337c1188
-
SHA256
7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5
-
SHA512
45db670cb03ec50a9207977a89fb8ccb3b9eec3d2d1a99b4811f16d8c7e44f30a0bf213ba98b4615ab3536dadec181e462caf67bf69f04ffdf0063a2b2b036e4
-
SSDEEP
1536:DV4V58OAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS6B9/y1Zb:x4V58OAtWDDILJLovbicqOq3o+np9/W
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe -
Deletes itself 1 IoCs
pid Process 2816 tmp7C92.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 tmp7C92.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp7C92.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7C92.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe Token: SeDebugPrivilege 2816 tmp7C92.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4804 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe 82 PID 4424 wrote to memory of 4804 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe 82 PID 4424 wrote to memory of 4804 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe 82 PID 4804 wrote to memory of 4716 4804 vbc.exe 84 PID 4804 wrote to memory of 4716 4804 vbc.exe 84 PID 4804 wrote to memory of 4716 4804 vbc.exe 84 PID 4424 wrote to memory of 2816 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe 85 PID 4424 wrote to memory of 2816 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe 85 PID 4424 wrote to memory of 2816 4424 7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe"C:\Users\Admin\AppData\Local\Temp\7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s4ymd5m.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE295DA842BE442FEA0AD25D4EEF2715.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4716
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7d5397dd8faded48b57e1c911c05c2c05b2d24ff8f995a62150c2463badadeb5N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5f2d137c41227e6687a785294edc58e09
SHA1120e6d33fc2823765d394fc5ecee326443fa9e3d
SHA25628395d08b56e106487199a1cb79823e9566dc3fafd2ad4c4bcb60ad29ab4a861
SHA512d18c51455b729a609f7ce52a5eb240f3d7535f76ba6153119276f344155a2850658b36ac9c92d79b73f8c97bef854307055e484d5dde246cd170004197fe2224
-
Filesize
266B
MD5faf245613a0593e51e6a4f66aae4e3d4
SHA12d34b8bce4bf21574ade07ef7b9d746e75e44fac
SHA2560c851a51ff24a4a9a7d4210c25baa71e1ee701e8f0981fd35ddff9bf7ff5eed1
SHA512f1bf93749479e982aee56147f405c14b034f9a58489f8169445c3c4872cc4d282911f41791d44605f5ada2a3d7f5df59b9abe272b4faa1cc2b758ae6dd0193b8
-
Filesize
1KB
MD5da24b87e41a656469b3f57956551212d
SHA1514de6d330764d4d61cb45ebbbebd8bd4459147c
SHA256ad471ff35d66337064fcd7d42eed9fb71e293a1f8c3e17eb2499057189506959
SHA5122737133db048c7b09e47e4a83630ba4919060f00e8ae49d3bf6332dc05d6700eccc5a18d7d6f152a7810d06e671586238df0f2156bf5baf792e663b630314462
-
Filesize
78KB
MD544a3b3f16659b36480051f203dbe3782
SHA116d1d881ce52b5046006f5886ff381193a76c75e
SHA256284fa402e49b155476e1425a0dbe5305b50a37329f0745133ebb20ad776c214d
SHA512a7b734cbc94db82805106e5f35f9b0e8a9eb4ce8ac2282efbcadc1d2dc9360961dff944895534c928f2cff3c6a6a8a521b696ecc5caca01cb7336499145a3cf7
-
Filesize
660B
MD58a5816204cbc965ae15f87c4f146fd42
SHA17cb1b03fa856c91ef833c92b92ab2a5e30ae256e
SHA25605cbc60b94253b73e22a29b39af3ff277ffd36d4234c9b9f5c00579b4184b46a
SHA5120fd72e1b99bc2250c9496ab7693fd80ada0fc498b9417f08a16fb027e313ab772435d4b30fa87c08acba737be2dca2ca696a3fdb9cbc1a5798ced565b89fc603
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c