Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 15:12

General

  • Target

    6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe

  • Size

    78KB

  • MD5

    cafe3f51f0ad7bd7e91f52efb5e48d80

  • SHA1

    8609df5f6708542374b0927225356936a0f600cd

  • SHA256

    6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4

  • SHA512

    1e0c93be470cad88284fb2e257972a30830f6144f1d16f4f20c02c83d0702634fec287b49dbae854d6f8018f56331e2cfb12b6874c61786aa367cb174915b9a3

  • SSDEEP

    1536:ZHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQte669/q1hH:ZHFonh/l0Y9MDYrm7e669/q

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe
    "C:\Users\Admin\AppData\Local\Temp\6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwoydpr4.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77CF.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1720
    • C:\Users\Admin\AppData\Local\Temp\tmp7658.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7658.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES77D0.tmp

    Filesize

    1KB

    MD5

    e21b54c43d15940c9c54ad9e383be5ae

    SHA1

    52fad41c0790beaf2f6d09df96907136cc6a8a6f

    SHA256

    cc7a8ed269bc06c3098a16b88bb4f415f2a6b1b94bb5ac753cf0a609f2e2f1bf

    SHA512

    3922051025426ce8949cf6c61f844437653837ffabf200c2fd56ba696af39b54beb31de5f2ba81e2ef8ee1f46ca2402f2e1e63be94ceabaa462cad4e835043ad

  • C:\Users\Admin\AppData\Local\Temp\tmp7658.tmp.exe

    Filesize

    78KB

    MD5

    81c4af831f453800cb87c802cb78b4b8

    SHA1

    937e12b5300d1ed4fce8f77e283b9e956b414836

    SHA256

    8ca8edbcc0699a6322246405d4c6c667f672ab8b0f8d6f2cbd4df60f33bd94d8

    SHA512

    7014d7c4c8527930e9a3ef29fe7e1b17feb307fac990f4101fc6f48752c55e2ee18ebe7e7782248e2a0e942113e771e596872734a3dbb00b37fedb336686b64f

  • C:\Users\Admin\AppData\Local\Temp\uwoydpr4.0.vb

    Filesize

    15KB

    MD5

    40e073563231e06403440eb7eef4d264

    SHA1

    376aa632bdd5f3c9c0e2dde9ef7e2e96b5bfd434

    SHA256

    4e7ee688d1892d8fd3fbbd26e56f211406ec9b67b0327a2b43bed976e2dc515e

    SHA512

    9b35ad65d2d46eac8b6f78b7863759f3ec0bf2c41438ac0ae13f5925e633e48c7ebf630391c851d613d45a5b81bdcb715dbdae460e97484b0bd47d2edc8f2df8

  • C:\Users\Admin\AppData\Local\Temp\uwoydpr4.cmdline

    Filesize

    266B

    MD5

    559e087977fc888f235abc38b76fd249

    SHA1

    e5a5e4f9a7cd580c3cfcc598bea4da27c8242c65

    SHA256

    96fd32f293f4f2c083f8280a87d123a600a96e6ea8933bb895ffa68995b49023

    SHA512

    618420b87e184020f932b56ef64d32bad4b0be30e49e5c71c49c0371f173248202ce2b0b2b792c349460d8ae49ac064a319306f98c014f067eaa10fc8f6b0f09

  • C:\Users\Admin\AppData\Local\Temp\vbc77CF.tmp

    Filesize

    660B

    MD5

    5d36f53deb495d3edd8dcc464d285edb

    SHA1

    1f2361e3e551b28cca7c24cf02457abceda45edc

    SHA256

    27b709b6bad23c921c12d56c364b4a0d9f259f7a55f9eb0fbec40b85ccd98979

    SHA512

    b77c342b500e7b8794d00d64e55d6376ecc70439e8691db7392f646f18f80db534f0e2e3cbad56eec6f3b31f3eeb147632b9507d38b56841e734b703174388ac

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/2096-0-0x0000000074461000-0x0000000074462000-memory.dmp

    Filesize

    4KB

  • memory/2096-1-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

  • memory/2096-3-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

  • memory/2096-24-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

  • memory/2804-8-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

  • memory/2804-18-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB