Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe
Resource
win10v2004-20240802-en
General
-
Target
6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe
-
Size
78KB
-
MD5
cafe3f51f0ad7bd7e91f52efb5e48d80
-
SHA1
8609df5f6708542374b0927225356936a0f600cd
-
SHA256
6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4
-
SHA512
1e0c93be470cad88284fb2e257972a30830f6144f1d16f4f20c02c83d0702634fec287b49dbae854d6f8018f56331e2cfb12b6874c61786aa367cb174915b9a3
-
SSDEEP
1536:ZHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQte669/q1hH:ZHFonh/l0Y9MDYrm7e669/q
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 2624 tmp7658.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp7658.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7658.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe Token: SeDebugPrivilege 2624 tmp7658.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2804 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 30 PID 2096 wrote to memory of 2804 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 30 PID 2096 wrote to memory of 2804 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 30 PID 2096 wrote to memory of 2804 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 30 PID 2804 wrote to memory of 1720 2804 vbc.exe 32 PID 2804 wrote to memory of 1720 2804 vbc.exe 32 PID 2804 wrote to memory of 1720 2804 vbc.exe 32 PID 2804 wrote to memory of 1720 2804 vbc.exe 32 PID 2096 wrote to memory of 2624 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 33 PID 2096 wrote to memory of 2624 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 33 PID 2096 wrote to memory of 2624 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 33 PID 2096 wrote to memory of 2624 2096 6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe"C:\Users\Admin\AppData\Local\Temp\6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwoydpr4.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77CF.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7658.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7658.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6222a183b0ec85b8ff832dcf1fccedaf6dfd730959ea1752c15d129108e7c5e4N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e21b54c43d15940c9c54ad9e383be5ae
SHA152fad41c0790beaf2f6d09df96907136cc6a8a6f
SHA256cc7a8ed269bc06c3098a16b88bb4f415f2a6b1b94bb5ac753cf0a609f2e2f1bf
SHA5123922051025426ce8949cf6c61f844437653837ffabf200c2fd56ba696af39b54beb31de5f2ba81e2ef8ee1f46ca2402f2e1e63be94ceabaa462cad4e835043ad
-
Filesize
78KB
MD581c4af831f453800cb87c802cb78b4b8
SHA1937e12b5300d1ed4fce8f77e283b9e956b414836
SHA2568ca8edbcc0699a6322246405d4c6c667f672ab8b0f8d6f2cbd4df60f33bd94d8
SHA5127014d7c4c8527930e9a3ef29fe7e1b17feb307fac990f4101fc6f48752c55e2ee18ebe7e7782248e2a0e942113e771e596872734a3dbb00b37fedb336686b64f
-
Filesize
15KB
MD540e073563231e06403440eb7eef4d264
SHA1376aa632bdd5f3c9c0e2dde9ef7e2e96b5bfd434
SHA2564e7ee688d1892d8fd3fbbd26e56f211406ec9b67b0327a2b43bed976e2dc515e
SHA5129b35ad65d2d46eac8b6f78b7863759f3ec0bf2c41438ac0ae13f5925e633e48c7ebf630391c851d613d45a5b81bdcb715dbdae460e97484b0bd47d2edc8f2df8
-
Filesize
266B
MD5559e087977fc888f235abc38b76fd249
SHA1e5a5e4f9a7cd580c3cfcc598bea4da27c8242c65
SHA25696fd32f293f4f2c083f8280a87d123a600a96e6ea8933bb895ffa68995b49023
SHA512618420b87e184020f932b56ef64d32bad4b0be30e49e5c71c49c0371f173248202ce2b0b2b792c349460d8ae49ac064a319306f98c014f067eaa10fc8f6b0f09
-
Filesize
660B
MD55d36f53deb495d3edd8dcc464d285edb
SHA11f2361e3e551b28cca7c24cf02457abceda45edc
SHA25627b709b6bad23c921c12d56c364b4a0d9f259f7a55f9eb0fbec40b85ccd98979
SHA512b77c342b500e7b8794d00d64e55d6376ecc70439e8691db7392f646f18f80db534f0e2e3cbad56eec6f3b31f3eeb147632b9507d38b56841e734b703174388ac
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d