Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
Resource
win10v2004-20241007-en
General
-
Target
030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
-
Size
78KB
-
MD5
7f3b33bc122eee12eb653918984d2ad0
-
SHA1
b0667a6af3346edc57635491a574216ed0623584
-
SHA256
030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2
-
SHA512
1c16ddf84e7f3c76821e53721260b298764adf2a731211fb535db4d59ef221d0d1fdc56e714328842df02a33985d0c635ff9164758296bd7fc8f9fb34d560b42
-
SSDEEP
1536:OWV5rXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC659/F1Xu:OWV5rSyRxvhTzXPvCbW2Uh9/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Deletes itself 1 IoCs
pid Process 2692 tmpD29B.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2692 tmpD29B.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpD29B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD29B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe Token: SeDebugPrivilege 2692 tmpD29B.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2376 wrote to memory of 1404 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 31 PID 2376 wrote to memory of 1404 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 31 PID 2376 wrote to memory of 1404 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 31 PID 2376 wrote to memory of 1404 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 31 PID 1404 wrote to memory of 2228 1404 vbc.exe 33 PID 1404 wrote to memory of 2228 1404 vbc.exe 33 PID 1404 wrote to memory of 2228 1404 vbc.exe 33 PID 1404 wrote to memory of 2228 1404 vbc.exe 33 PID 2376 wrote to memory of 2692 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 34 PID 2376 wrote to memory of 2692 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 34 PID 2376 wrote to memory of 2692 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 34 PID 2376 wrote to memory of 2692 2376 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe"C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k976ih37.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D3.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5047946683f3f3f3b9723c964afd75820
SHA1048f064987b331a78567e1dfeaa5ac9449d68f4e
SHA2563803c3ea3c1ac6801227667dc5311f5b567371b7a4c4ab78dac2c50a4e2650c1
SHA51252d019d50d7c33e05f684f4b3c55ae9e509a05c38790d731867145f34350dd6d870cb57ecd8e87d5436c9b05a753c00f262ecdb54f2059eaa5bc89cbcd4cd96f
-
Filesize
14KB
MD51732b6620b77291ea757bac6d3f9abd3
SHA1be99917d43cf5e46fb81d8f931e0d7202940b9a1
SHA2569c71a5a2b72174ac39902ee52979364f015f2447d0c259408fe4dc500d27390a
SHA512aab65ed8a7c225db3e125ed0016f49b9f4bdab31335a8460dfa1a229d6361fc8b46625847cf80eff46be26f3d1c7e9188eca76f9005074fa39a7e67643955acc
-
Filesize
266B
MD51e553154da749cbaa747c2bc44ca272e
SHA1797d222c47edbbb1c01269f306a799d0d57af3aa
SHA256aeb2a2f5ff8b1f40905a909a6a7890273e40122541810e0922239f42cfd5a244
SHA5129ea13e31791d0588daa796628dbb9b6e03bdbe4a1dd5e381972da163a8809e7c9eb7d3a4a67667b3f1d8592cf4b4ee41f4ed22af5832e85b2094375a5039620f
-
Filesize
78KB
MD53f60698d588389fcb85bb9be49e029b5
SHA1de1ab98bd3e5d66d4b3cd5a7c9b1e7980c0b71e2
SHA256886e8c3d9dd0656f973baaec583a91644dc21bb62fb7324900ed583978e9d3e5
SHA5129251f4e73933d126688dd4124f6e1e21fa8743d14e4b1057dfb2fc42de61dfa24cabc817e3b1fd8eea8cb52027420878e067daecbba7b0dc09ea83ed7eaea4ae
-
Filesize
660B
MD585f641d3f7be6333eade78544aca3a94
SHA17055dca033efb6ff61b232442dd216729a5fb7a6
SHA2563e1e46ffce1d15516266176c75d8d2be3d2e149b2946ee9725be5e8f34763136
SHA5129b0ba41f0c39de16a88f3c130d611d3c5846223634e2c1d391e835871b7eb136b6de9089c20377dd094cb8a4fce23787dbf0ec97380c320e84af65df014d7d70
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c