Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 21:21
Static task
static1
Behavioral task
behavioral1
Sample
49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe
Resource
win10v2004-20241007-en
General
-
Target
49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe
-
Size
78KB
-
MD5
ce880ec97bd3e51027c065306bacae25
-
SHA1
29b5f9ace1358d775e8622d0ea8f6107216519ea
-
SHA256
49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a
-
SHA512
07d97d6dc7e15e4f000d1da2494703af74c5723aa40c1e165a68ed8a3e0d8587ae6a25b57f833c1d511fec367d199f915af2a30d983449d59c3915219b9e1d95
-
SSDEEP
1536:1RCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtci9/V15g:1RCHY53Ln7N041Qqhgci9/K
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe -
Executes dropped EXE 1 IoCs
pid Process 3704 tmpA6CF.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpA6CF.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA6CF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe Token: SeDebugPrivilege 3704 tmpA6CF.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5088 wrote to memory of 2072 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe 84 PID 5088 wrote to memory of 2072 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe 84 PID 5088 wrote to memory of 2072 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe 84 PID 2072 wrote to memory of 3896 2072 vbc.exe 87 PID 2072 wrote to memory of 3896 2072 vbc.exe 87 PID 2072 wrote to memory of 3896 2072 vbc.exe 87 PID 5088 wrote to memory of 3704 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe 90 PID 5088 wrote to memory of 3704 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe 90 PID 5088 wrote to memory of 3704 5088 49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe"C:\Users\Admin\AppData\Local\Temp\49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jzrgshu4.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3DF19DA85E0499FA21C493455A7A913.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49938a5e15fccdc5b7e9fd0898d0989f679e3d42f54093b82226650ab7e5fb2a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5696d593f6f8a68c1bd0cc63ce92adb68
SHA1b1b9a41c1854e5534c845ffbf182d5144de03190
SHA25643a6a3a69dc967cb1196bea4dce9469efb9241d92dacbf28d520e73a9c79455d
SHA5122081bf624ee49219ed3385728112193d6b8cd15e7972b128a1ed01415d64a5d485077f6509485fdd0d4eeb944f3a738bea853832ce9e2756112b65b2211b34ca
-
Filesize
15KB
MD5efc6244901b56ec7ae41aa7818416931
SHA118ddad090bb742ddd75a3958095c2a108e7759f5
SHA25633b3981a832620e8dd53fd6f2321eba491f429ef1fcdfab7cebf80cea66e00e8
SHA5122ad7bd7649a83f3f899f6da80c27cf1ade4f7a430445b233a8d9815dff5995953e2b0a977d1a70c2fef8e5941e28377018f79cd71d7d4f96b511de85913bfddb
-
Filesize
266B
MD530684637062a03a1a9e27ee7247464a5
SHA1d7365d17091d9cedf7f0070e3d6f0648965078f7
SHA256d57aa8b89ab8e3c5f950baea2c3cc8938d119f1f5053d4e2b436e52ef9eb87fc
SHA5121cdd55aa739fddaf9cc8761925ed4a0943c4e2de58603843f0537875fa15d8deb9ee4565d8cfaea8b8848153c62b5139dd1f20c1944c1a4f642efce740d2f8a6
-
Filesize
78KB
MD5981e0f89474a33e5ce41568378333537
SHA1e89e4b43698e0b1d73923a75dc8f381bfb8f1072
SHA2561fe708868905527b79c2b8b5f8e450d4b880a2c779cd083c8ecd917c1695f109
SHA512e6b93c0c1eb8afffb6e8eef71359d894b991ff5c21d753c9ee13288048d895f73dc852cfd9d2bca1efa76149fd0e94e2706ae8ea5fd83fd4450372441b676751
-
Filesize
660B
MD5f4cba9d6b358102af8439c7c880fd690
SHA174d757483bcfb9fe9910da9133889038f4a260d7
SHA25699599d7e36c745ded2ffa1a3681e2e7eaee6333039e510d11e854428aca8338e
SHA512ddba63a8f3f077424c9be5df895da9a5e45c64a1eed19606aa9ac2bff6adaaddbf7bafcf1d305b943324165361ac2f0f1d7f4303ff649d209f10dc9acfde8f01
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65