Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 02:59

General

  • Target

    046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe

  • Size

    78KB

  • MD5

    c1c088343ee0fa26e039c9990f1a2d20

  • SHA1

    274e70ffb38cffffb1a02e04b5b87124600eb139

  • SHA256

    046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831

  • SHA512

    207037ed07645b5346a8c7e4d49cf1274ad8ba333e048a92906917694a776a63202444e909873ee2efcd7357b126879ef0b34b6523087e1f94dd130e1063a2eb

  • SSDEEP

    1536:cPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtD9/I1vl:cPWtHYnh/l0Y9MDYrm7D9/o

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
    "C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtfufoeb.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF90F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF90E.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2348
    • C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe" C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESF90F.tmp

    Filesize

    1KB

    MD5

    96f8bebf5daf3dd62cb33ffd4cf3bd87

    SHA1

    8de815448d228a32e35914c3b36ddd9b53141d74

    SHA256

    fdbc6fb9b68612f31d9e457b3fb84c999851c0aabe710aa86035b2a1589bf831

    SHA512

    bd2ccfdee5dd4f5d9bcaa2c533eb13387c3583f4ba9ce100af72cfe85d8b1a36c26a84d7d7f51bbf5603cbe36c9933f96ad37cf41cb39dc2aefad9aa82c4710f

  • C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe

    Filesize

    78KB

    MD5

    55eaebe79586a4cbb7bc9164cd1e7fc5

    SHA1

    9584e9f8cd7b6aa1606a20b17901ba561c2c5db1

    SHA256

    c44fa0257d2f8090e139f1176291b5ee3a8efac494212434fa3abc84c69247ce

    SHA512

    c4f633c69890527c5c63677644d91a34db0b5488a3bc571450ab17a3a9d9a1d61184d2b03223379d00df55d55c74c5f565a27e170235cbc9ebca6a0d14afa1e9

  • C:\Users\Admin\AppData\Local\Temp\vbcF90E.tmp

    Filesize

    660B

    MD5

    fc19964a03d70ae23179c5d0ad2d7de1

    SHA1

    9d6b03d8a3e627d8ee821e33c0d7044d385d2e34

    SHA256

    188a03e77ef13515d6f2dd4ece119dab5e1757f713874cfafc6b838bfa46ea45

    SHA512

    4bca9ef97d6df377d5003f0c0af5ff1c96b7ab57413b2e8d3977071361240da9233d59c1d07199e60e612220db606f69a1813795203650c3e04fecb14ee82f5c

  • C:\Users\Admin\AppData\Local\Temp\wtfufoeb.0.vb

    Filesize

    15KB

    MD5

    0cf9237f36988c5f7b3f7e1d3f263ca5

    SHA1

    213610a6bb3823e97d86eff1681f7b89db676df0

    SHA256

    5997c18c1bce41b1d69608eb0e6a4266707f4d7f6a2f563b1191502c28cd02bd

    SHA512

    edac2b79b62ec825dfbf510a913abeca7144730274ccedd7692f4530a6dd6238b51b83f65eb5d926b5eaff59a0042bf73fb365c3fd13bb00426416264c2d77fb

  • C:\Users\Admin\AppData\Local\Temp\wtfufoeb.cmdline

    Filesize

    266B

    MD5

    06b41e1759d14cb346b7c633590f4e32

    SHA1

    38c180f4075bdea12cafdca70c21db555e7fec72

    SHA256

    fb5f9a4ccbd8d0d2d4dbe87ed87d2b6c8cd82de2a4857ba5c6ed5aa09cc5f2a1

    SHA512

    00214e7960dc464120b8de8796531339087563c19d29d9fdb853d38b60a9c141df13ea395261a8fd67cf15b1927a2b31d48fcd4382bc78f3cbd5ca5ae524e4d5

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/2656-8-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2656-18-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-0-0x0000000074051000-0x0000000074052000-memory.dmp

    Filesize

    4KB

  • memory/2980-1-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-2-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-24-0x0000000074050000-0x00000000745FB000-memory.dmp

    Filesize

    5.7MB