Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Resource
win10v2004-20241007-en
General
-
Target
c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
-
Size
78KB
-
MD5
d33d0480db077326513829ec447228e0
-
SHA1
f31fcdbc6d2d8d3412a098ba88a80eb5b545ebaf
-
SHA256
c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11
-
SHA512
70e76359a1c4a8e64727b5617becfd945bd897ed9596374c31d9098c4644ebe8a35b8e7628fa24541f3cbdbbf3c0fd894ad6c263a46c82f31e0a72c4a4c2dedf
-
SSDEEP
1536:F4tHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt1d9/n1c1:F4tHYnhASyRxvhTzXPvCbW2U1d9/u
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe -
Executes dropped EXE 1 IoCs
pid Process 3444 tmp99FE.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp99FE.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp99FE.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe Token: SeDebugPrivilege 3444 tmp99FE.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3544 wrote to memory of 1772 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe 86 PID 3544 wrote to memory of 1772 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe 86 PID 3544 wrote to memory of 1772 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe 86 PID 1772 wrote to memory of 2876 1772 vbc.exe 89 PID 1772 wrote to memory of 2876 1772 vbc.exe 89 PID 1772 wrote to memory of 2876 1772 vbc.exe 89 PID 3544 wrote to memory of 3444 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe 90 PID 3544 wrote to memory of 3444 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe 90 PID 3544 wrote to memory of 3444 3544 c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe"C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cudb_5u6.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36AF2C30F394CFA8255F1DFEB38065.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c93e4bab433df4b3b0c46fb32a5fca48
SHA1209d7dbdb00e48aab4e830421f8f45d07327c278
SHA2560ca2e111e86614e8a7b9a37673ecd0c805637d3c5b35b708f3a04a10ae92cfff
SHA5123b6788ccb2b5f47f8053e090514d75856d93a3017119c273ab212d1124c8a07105a6d8c018d8d976b9ab960f58e11c0468ac9d6af8aca3eb7599486b71080013
-
Filesize
15KB
MD5a1fe4f40a83da5c5a6782866d0dd665a
SHA1ad98811e850e9875c6db06a607e692e6dc6da239
SHA2562d1de20bdb12f02d35ab05ce69b4be08183d94465ee82e9104e5e8fd2fd85985
SHA5120170e69be5e2b57d234fcab609e622df581ff4c5e1ac20af1cd678688b038ef4f0c02f1ed2b297212ed9bc97f26f3d6e214805f6f27fde4d6e62cac90b43a3ac
-
Filesize
266B
MD5fc36b93b5aaf85d1788370cd5ba7fc9b
SHA1f314f7c1205677d3c931911d3f81c8b9d631617a
SHA256e5767f54007ec441b5965cfbf0b40fe2951c5e9e602915c6a86f1b4aad937fa1
SHA51245a71797cb893b459f7f971eac5a285725d94497f938caabaaf18ec73888e0d84312373396ee56feacce9e81cfcb0faeb78e10c6352b0cf43d1798330e3a1d2a
-
Filesize
78KB
MD5b7960460ffdadd5f0d6945925353fcd2
SHA109b67f6a1194a368b2b19ef94660f90693400735
SHA256f157b0972ba3b2ec156cf833875a554e80abe469fc69a6cc9d3473002b630452
SHA512a71b1f9e6837967fe139c6f3ddeea5b0f94f797b3b264c821d4b451232da625ff8b5cd72b91cbc61f443e83ca4bc0efccedfee93c351515170fc73cbf6146615
-
Filesize
660B
MD523b73de0c7b0c0c69ed2f103e81be633
SHA1b41b9292b924bdf95fba934ee4e1ff12ee35c6a5
SHA256a96e66c270db2ab57d96739b5c40d4533b58b1082cba920b2ad7855ef9170f81
SHA5124286732d2524d7e1e797b4f240fb0da720aafa7d181c0e99c1709c5fa2375b0f538ddc58903962faa84cfa9fb48afdcd6f173b8ce39d9070dd2f8b30b3559bf0
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c