Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 02:59
Static task
static1
Behavioral task
behavioral1
Sample
046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Resource
win10v2004-20241007-en
General
-
Target
046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
-
Size
78KB
-
MD5
c1c088343ee0fa26e039c9990f1a2d20
-
SHA1
274e70ffb38cffffb1a02e04b5b87124600eb139
-
SHA256
046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831
-
SHA512
207037ed07645b5346a8c7e4d49cf1274ad8ba333e048a92906917694a776a63202444e909873ee2efcd7357b126879ef0b34b6523087e1f94dd130e1063a2eb
-
SSDEEP
1536:cPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtD9/I1vl:cPWtHYnh/l0Y9MDYrm7D9/o
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 2668 tmpF805.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpF805.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF805.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe Token: SeDebugPrivilege 2668 tmpF805.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2656 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 30 PID 2980 wrote to memory of 2656 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 30 PID 2980 wrote to memory of 2656 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 30 PID 2980 wrote to memory of 2656 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 30 PID 2656 wrote to memory of 2348 2656 vbc.exe 32 PID 2656 wrote to memory of 2348 2656 vbc.exe 32 PID 2656 wrote to memory of 2348 2656 vbc.exe 32 PID 2656 wrote to memory of 2348 2656 vbc.exe 32 PID 2980 wrote to memory of 2668 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 33 PID 2980 wrote to memory of 2668 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 33 PID 2980 wrote to memory of 2668 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 33 PID 2980 wrote to memory of 2668 2980 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe"C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtfufoeb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF90F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF90E.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe" C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD596f8bebf5daf3dd62cb33ffd4cf3bd87
SHA18de815448d228a32e35914c3b36ddd9b53141d74
SHA256fdbc6fb9b68612f31d9e457b3fb84c999851c0aabe710aa86035b2a1589bf831
SHA512bd2ccfdee5dd4f5d9bcaa2c533eb13387c3583f4ba9ce100af72cfe85d8b1a36c26a84d7d7f51bbf5603cbe36c9933f96ad37cf41cb39dc2aefad9aa82c4710f
-
Filesize
78KB
MD555eaebe79586a4cbb7bc9164cd1e7fc5
SHA19584e9f8cd7b6aa1606a20b17901ba561c2c5db1
SHA256c44fa0257d2f8090e139f1176291b5ee3a8efac494212434fa3abc84c69247ce
SHA512c4f633c69890527c5c63677644d91a34db0b5488a3bc571450ab17a3a9d9a1d61184d2b03223379d00df55d55c74c5f565a27e170235cbc9ebca6a0d14afa1e9
-
Filesize
660B
MD5fc19964a03d70ae23179c5d0ad2d7de1
SHA19d6b03d8a3e627d8ee821e33c0d7044d385d2e34
SHA256188a03e77ef13515d6f2dd4ece119dab5e1757f713874cfafc6b838bfa46ea45
SHA5124bca9ef97d6df377d5003f0c0af5ff1c96b7ab57413b2e8d3977071361240da9233d59c1d07199e60e612220db606f69a1813795203650c3e04fecb14ee82f5c
-
Filesize
15KB
MD50cf9237f36988c5f7b3f7e1d3f263ca5
SHA1213610a6bb3823e97d86eff1681f7b89db676df0
SHA2565997c18c1bce41b1d69608eb0e6a4266707f4d7f6a2f563b1191502c28cd02bd
SHA512edac2b79b62ec825dfbf510a913abeca7144730274ccedd7692f4530a6dd6238b51b83f65eb5d926b5eaff59a0042bf73fb365c3fd13bb00426416264c2d77fb
-
Filesize
266B
MD506b41e1759d14cb346b7c633590f4e32
SHA138c180f4075bdea12cafdca70c21db555e7fec72
SHA256fb5f9a4ccbd8d0d2d4dbe87ed87d2b6c8cd82de2a4857ba5c6ed5aa09cc5f2a1
SHA51200214e7960dc464120b8de8796531339087563c19d29d9fdb853d38b60a9c141df13ea395261a8fd67cf15b1927a2b31d48fcd4382bc78f3cbd5ca5ae524e4d5
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d