Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 22:55
Static task
static1
Behavioral task
behavioral1
Sample
6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Resource
win10v2004-20241007-en
General
-
Target
6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
-
Size
78KB
-
MD5
5035de61a0f808de5e03d37b266c6beb
-
SHA1
f265a2271892904229287ed7b62c974a2a20bb0e
-
SHA256
6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374
-
SHA512
c1803625cbce1da19375d43ba87b7e5afec2d008222725e16d28b0ace601c06b0d8abd6b09ff24c03fb9abe4d4e307eed9bcaae9a91bee2b356119cf78e41265
-
SSDEEP
1536:WPWtHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC9/s1Eu:WPWtHYO3e/vqyA11XYUBxprBPjcC9/C
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe -
Executes dropped EXE 1 IoCs
pid Process 1816 tmp8B77.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\"" tmp8B77.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8B77.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe Token: SeDebugPrivilege 1816 tmp8B77.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2376 wrote to memory of 1236 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe 84 PID 2376 wrote to memory of 1236 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe 84 PID 2376 wrote to memory of 1236 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe 84 PID 1236 wrote to memory of 1552 1236 vbc.exe 88 PID 1236 wrote to memory of 1552 1236 vbc.exe 88 PID 1236 wrote to memory of 1552 1236 vbc.exe 88 PID 2376 wrote to memory of 1816 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe 90 PID 2376 wrote to memory of 1816 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe 90 PID 2376 wrote to memory of 1816 2376 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe"C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlnhgryb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDABB9B92C4641EC88C97C50515B185D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8B77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B77.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f051d5845ff86b7b89bf5fb9b59e5e48
SHA138a390e114d02fe6163265bd66d0dce74526c68e
SHA25641ee881504f52d2d90dcb9a153a4ddbff71c9136cbaef6bf58d203a226346cdb
SHA512aecb1c7765d2eeeef064848b66e1bd08ba3ea83765cef505adcaf16175b11d679e837cf72b7b7826e3c049c3be166300166b03821b27da7a26bde7d36f57dbf9
-
Filesize
78KB
MD54a6de933bca17e36a23c8b8682bca1c2
SHA11c1f5e3d6dc631c3f1fc44ff722a8f7ecd3c28ab
SHA256b121684c6c6345829504cbe063a5ce9187a8f7232fc2ce38d2ef4379c9118cec
SHA5126507a63cb7cbcf67ed47899904db79d24477b2b277a45e809c740623a88f8797c3b2b475ea5775726c15538d2c27e857b6b72f8cb1ec6860d7e76b8d20fefe05
-
Filesize
660B
MD5219f1c06e54cdfdfe02988d4cf455665
SHA1c1aaa4b73f7e92a07e286613ae328c5b3bf024e8
SHA256bfcec6b48d8042943d551d4621bc946da549378777c893afdc3da61764cfcafe
SHA512b19a89781d5ebf55cde79d281a8043767c1c1fc95bf70ea95ff49443809992bac7caf5dab322931b2fc29dfc2b07c883d1302e76b933c9c106c8af7567c3922c
-
Filesize
15KB
MD5f8f2e8f97f86ad346c1e4a4eb9ca938c
SHA1c383900e6fdf92542f2dd175c74dc03f4e52e467
SHA256cd0bd1d044ed8b6db02f79a9c624bccc3bddac77fc378f62d90c211ce2215791
SHA5122a40c3990d37dc08e62d169a857daa0e22fa1dce5d5161fd373c3cf57d4beedbdebf51c3f0c73400aee36d0f1a4977beaededd6e87f939c145c177fbe6c2b029
-
Filesize
266B
MD5d489275e56157c805335a48734d42ac1
SHA1c3e25e71eacb9938fc2eb853d52b145e45e9dc98
SHA256baec0685f69f8022c3ff9b1263bad7ff1c91d88ddccb7155beffc8cef898ce0d
SHA512d6c7e2f0e2b7c2e3e467c505b91949a92ccf5a609880e65a3baa6a4da071cc2f939927121b87daed25e54c62fddc8a235b3ba01d7fcff9d19bc43f46f74a63ae
-
Filesize
62KB
MD58481b7e4924c14743ffc0d34075e2ce3
SHA1e8e7ef480499ba85190b8d5f8e43f761850b0ef3
SHA2566110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac
SHA5123c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1