Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Resource
win10v2004-20240802-en
General
-
Target
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
-
Size
78KB
-
MD5
b0ec359e94b58d69c223e0ddf544c000
-
SHA1
be2360bf717a87109b52995bd815b5b1d22f5d17
-
SHA256
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63d
-
SHA512
ac7a5b1c0a44a830affea41673122a599765b9cdb3ae2b59bd1aaecbbcc6eb201b928831b4bf023bf5c8b59eb077c5b37caf6a2b6b864c720602ec04b09b879f
-
SSDEEP
1536:5CHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtW9/61b8:5CHYnhASyRxvhTzXPvCbW2UW9/3
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe -
Deletes itself 1 IoCs
pid Process 1424 tmp8628.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1424 tmp8628.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp8628.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8628.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe Token: SeDebugPrivilege 1424 tmp8628.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4156 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 82 PID 5000 wrote to memory of 4156 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 82 PID 5000 wrote to memory of 4156 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 82 PID 4156 wrote to memory of 860 4156 vbc.exe 84 PID 4156 wrote to memory of 860 4156 vbc.exe 84 PID 4156 wrote to memory of 860 4156 vbc.exe 84 PID 5000 wrote to memory of 1424 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 85 PID 5000 wrote to memory of 1424 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 85 PID 5000 wrote to memory of 1424 5000 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe"C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4mleo2w.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11993C47AA504BC795D5A3BB28F13DC.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:860
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8628.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8628.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD560e7395e4c947a714166d5815dede34b
SHA1e50083fba6a9cfcba1f6fd43ac50245236af8438
SHA256b6e05e284920bd95e4c87a2813ca018f1891f75960fb1c7cd2b02ada13d86388
SHA512aca90b75357986e7e324a2d3ade06ece67c3cc3289b89b65975b5eff607da75178aa18f9a694fd44876fc4601ebca7ea33e0b9d21ca1f8fccd65fa607c13f71e
-
Filesize
15KB
MD50a3e76ac989c23d6ef02ffdf10fc1aa1
SHA13ed0f01a21894fb1e09fbba654c9b6e0cd312992
SHA256d171865b9908904009f13a7fb17e731333a47d302521028928c0351c963841ae
SHA5124b684847254b42aa4fb80fd2c779cf8260b065f11dc30fb2ef86aa38f1cf829ecca3558a39cd551da125035e2cc0fe19be95e689533b17e471353b4a162c4ab1
-
Filesize
266B
MD5c25a90b59ab1f0770f85b42efe7e1d59
SHA141659ae7e408a85f49e967ce6b56ec5c2194e1f4
SHA25687e21ae27a3fdd04b1199713bb53f8c0802bd14846bf622a5073ced1e0543427
SHA5123e7f89a7f90f127090a434c35472e603b8123a63127eea296637f8af10842f9d2d16295e92e3bfc2135a9ed2b31d960b948ab8ad137e239f7ffe43498a893dca
-
Filesize
78KB
MD582c18c8bfd9cbae9579be768d675e325
SHA11287ffc6c7e5095d8097117854b37ae6fefdbeff
SHA2567e685afada3133f65abeed3e41017de97bf60c6a2b3fc4cb49ada4e7868ff834
SHA5121a2afa9b298060080c70349473a2acac72152919e79abd52a79e6c5a7c777e2e61f776b142c66ea0f0becd45583478b335b6d724d8b365eaef588b00e4d381e1
-
Filesize
660B
MD57ac6231fa93fe87606fbcdaa8cc884c4
SHA1cc62cd2be8c39ff09f5feb30c7bb89f2c5d75d22
SHA256ab0346f4c173cae1cb44e6e31edc7db769cf46d1d2a89f96d0bde7417e1773b9
SHA5123b8ed6dbd4e4d3c7a471f12ff600abd12efa1de8b7bb1b93d31c63df8c69d973dc0ed7a3b7ff9b4b4773c1e7245a92987ab67771268a3e78b00cd0507e4a3bb1
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c