Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
Resource
win10v2004-20241007-en
General
-
Target
8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
-
Size
78KB
-
MD5
7bfbe9f42a7aa4e975f7946d44b3260f
-
SHA1
35b0151f326b99687a8344c5af9e3fb431499ec9
-
SHA256
8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3
-
SHA512
7b8d5113fc2642541da57bef8cc7f53eaab22dc0f7c25c93f274ebf9ee17395912e494ebe86b3804547f5677a9bcf2d493a4fdee2f6dbd5501c628d848ea89f1
-
SSDEEP
1536:9RWtHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRk9/O1GD:9RWtHF8h/l0Y9MDYrm7Rk9/H
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe -
Executes dropped EXE 1 IoCs
pid Process 1468 tmp8F6F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp8F6F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8F6F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe Token: SeDebugPrivilege 1468 tmp8F6F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1888 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe 84 PID 4940 wrote to memory of 1888 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe 84 PID 4940 wrote to memory of 1888 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe 84 PID 1888 wrote to memory of 5044 1888 vbc.exe 88 PID 1888 wrote to memory of 5044 1888 vbc.exe 88 PID 1888 wrote to memory of 5044 1888 vbc.exe 88 PID 4940 wrote to memory of 1468 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe 89 PID 4940 wrote to memory of 1468 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe 89 PID 4940 wrote to memory of 1468 4940 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe"C:\Users\Admin\AppData\Local\Temp\8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i6aa6z4j.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F2ECFAE26274B51B0E1CD71E8A847B6.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c5a582d771e451547365298b2df1150c
SHA11b118f7e821f2cc6bd5740085883280be3da8729
SHA256e0a190c310aa03fcd11da6226fdd15a4fb593124e5025f9bceafa27319418cde
SHA5129e105f685deb18b1eb976019124902262cb72a5ac4b4d9a42dd9bc0c4eac482a733d880be703c9f8f84aa8be27da0f76ebb2ce543c545ccfae683b8d2d855405
-
Filesize
15KB
MD546210dcdf64f59936184b09fdf8d5217
SHA171ed9ae5bec5e3da33f39b759aa3f5e4ae450ae7
SHA2568f6f85d37e8065073463d64a0a43ca7bc0f16998b3910ea31de468bf8a31a5e0
SHA512cd24bad9cdd8236c42dfd068fe7da5d684707c1492e0afa10c5b9fb6e9b1eb03dd3858d1d9faf734ea256947805824049a26ad0285d9ca718581f0795e37e929
-
Filesize
266B
MD5b18798094659bc0f18ab59b328699572
SHA197d16cf19fc030889dbd2c722965e4a4abb8a924
SHA2565cb9f9f7dbf5043e01d4c3a39711e52af1b6ef1284698dde7b9f213d037493f3
SHA5127d6952e432ba28defda8e1dcb0990e631c9526b10db2c5024fd819d9373f85e4c942f8857e35ffc912749367b28f082a233fdbba4306bd6a2467a9b1bb40fdc1
-
Filesize
78KB
MD5f31bfd229f5af6283dc0d47b0b68541f
SHA11a45ac90f33c2f8967b889a23fb78c9cccda61cc
SHA25691b7b2098002a382e112d4860839d102ead2c0bef23e9782ee3aa24b8b6cd0ef
SHA512622417fc8d450a71eda9c386b9c76e96e9b9f4c0eeaa57f79c0b6fe5204fb1e3d55764f31a4dd67b285c89242346a129e82fef35a432865bc006e51c72eae2a2
-
Filesize
660B
MD5bf7b737b6b11c2ae4789bc2e1e4801f6
SHA1f5b8f4c1ab17f12139beed65eefe7e6d56441aa0
SHA256c71dc7c3d16f5e775715f040a4ab33536bae9d9d25983a7c63bf457e76b7c043
SHA512e51f694fc443682a59fb2ef056e2621f055ca8724e92165e24ebeaf425481255c91266f469d8bbbd9a146b71bdc70c13a07bea5506e4fbde473e02634dbe819d
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d