Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 17:15

General

  • Target

    030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe

  • Size

    78KB

  • MD5

    7f3b33bc122eee12eb653918984d2ad0

  • SHA1

    b0667a6af3346edc57635491a574216ed0623584

  • SHA256

    030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2

  • SHA512

    1c16ddf84e7f3c76821e53721260b298764adf2a731211fb535db4d59ef221d0d1fdc56e714328842df02a33985d0c635ff9164758296bd7fc8f9fb34d560b42

  • SSDEEP

    1536:OWV5rXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC659/F1Xu:OWV5rSyRxvhTzXPvCbW2Uh9/2

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k976ih37.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D3.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2228
    • C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD3D4.tmp

    Filesize

    1KB

    MD5

    047946683f3f3f3b9723c964afd75820

    SHA1

    048f064987b331a78567e1dfeaa5ac9449d68f4e

    SHA256

    3803c3ea3c1ac6801227667dc5311f5b567371b7a4c4ab78dac2c50a4e2650c1

    SHA512

    52d019d50d7c33e05f684f4b3c55ae9e509a05c38790d731867145f34350dd6d870cb57ecd8e87d5436c9b05a753c00f262ecdb54f2059eaa5bc89cbcd4cd96f

  • C:\Users\Admin\AppData\Local\Temp\k976ih37.0.vb

    Filesize

    14KB

    MD5

    1732b6620b77291ea757bac6d3f9abd3

    SHA1

    be99917d43cf5e46fb81d8f931e0d7202940b9a1

    SHA256

    9c71a5a2b72174ac39902ee52979364f015f2447d0c259408fe4dc500d27390a

    SHA512

    aab65ed8a7c225db3e125ed0016f49b9f4bdab31335a8460dfa1a229d6361fc8b46625847cf80eff46be26f3d1c7e9188eca76f9005074fa39a7e67643955acc

  • C:\Users\Admin\AppData\Local\Temp\k976ih37.cmdline

    Filesize

    266B

    MD5

    1e553154da749cbaa747c2bc44ca272e

    SHA1

    797d222c47edbbb1c01269f306a799d0d57af3aa

    SHA256

    aeb2a2f5ff8b1f40905a909a6a7890273e40122541810e0922239f42cfd5a244

    SHA512

    9ea13e31791d0588daa796628dbb9b6e03bdbe4a1dd5e381972da163a8809e7c9eb7d3a4a67667b3f1d8592cf4b4ee41f4ed22af5832e85b2094375a5039620f

  • C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe

    Filesize

    78KB

    MD5

    3f60698d588389fcb85bb9be49e029b5

    SHA1

    de1ab98bd3e5d66d4b3cd5a7c9b1e7980c0b71e2

    SHA256

    886e8c3d9dd0656f973baaec583a91644dc21bb62fb7324900ed583978e9d3e5

    SHA512

    9251f4e73933d126688dd4124f6e1e21fa8743d14e4b1057dfb2fc42de61dfa24cabc817e3b1fd8eea8cb52027420878e067daecbba7b0dc09ea83ed7eaea4ae

  • C:\Users\Admin\AppData\Local\Temp\vbcD3D3.tmp

    Filesize

    660B

    MD5

    85f641d3f7be6333eade78544aca3a94

    SHA1

    7055dca033efb6ff61b232442dd216729a5fb7a6

    SHA256

    3e1e46ffce1d15516266176c75d8d2be3d2e149b2946ee9725be5e8f34763136

    SHA512

    9b0ba41f0c39de16a88f3c130d611d3c5846223634e2c1d391e835871b7eb136b6de9089c20377dd094cb8a4fce23787dbf0ec97380c320e84af65df014d7d70

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1404-8-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1404-18-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2376-0-0x0000000074851000-0x0000000074852000-memory.dmp

    Filesize

    4KB

  • memory/2376-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2376-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2376-24-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB