Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 15:06
Static task
static1
Behavioral task
behavioral1
Sample
d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
Resource
win10v2004-20241007-en
General
-
Target
d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
-
Size
78KB
-
MD5
5fe6e6c238aeeae9b31020099714d230
-
SHA1
8f5746cd718d6004afef9c00df899f519e3d642c
-
SHA256
d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662
-
SHA512
ffcd84dd45465c8f69e183b36ef7eed4801353b940cb8bfb9683f2fc65c55e6749ff580c48b6e1262c35f711e734fec4008364866fab3d79c433366054cbc548
-
SSDEEP
1536:VRCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteKb9/k1/A:VRCHFq3Ln7N041QqhgeKb9/l
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 2684 tmp5FEB.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp5FEB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5FEB.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe Token: SeDebugPrivilege 2684 tmp5FEB.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2932 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 30 PID 2476 wrote to memory of 2932 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 30 PID 2476 wrote to memory of 2932 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 30 PID 2476 wrote to memory of 2932 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 30 PID 2932 wrote to memory of 2828 2932 vbc.exe 32 PID 2932 wrote to memory of 2828 2932 vbc.exe 32 PID 2932 wrote to memory of 2828 2932 vbc.exe 32 PID 2932 wrote to memory of 2828 2932 vbc.exe 32 PID 2476 wrote to memory of 2684 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 33 PID 2476 wrote to memory of 2684 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 33 PID 2476 wrote to memory of 2684 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 33 PID 2476 wrote to memory of 2684 2476 d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe"C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekl9vo8s.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6327.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6326.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58d511ab42f54638346e85d092c7b5720
SHA15c774b8388359b73a14dc067bddb431ca1a79e6d
SHA2561eb233b5451a2e865ba5cac743346c1c9d49879c34e107f70d3751daa29de1ca
SHA512239a50f7a7386dd9fe07497af051b1761eab1d15d3ad135e67396bd6e69191b564f842fa27bf290caa8a635dc8810255b8e8240e9489b36e0bfd06c000fcdb98
-
Filesize
15KB
MD5df5da9e4a2042e634a197d44d83e5cfd
SHA141f2cc46a734102498f3815a103c01eaa63c8ae5
SHA256f18a9c6d5dfe7c5c1e186c69e232c0fb385f02be0135ea0ac6db14138701e3ca
SHA51246a1ea37472de264dd8351dab8b44964f36a0b487493c03a6e65ad6552442b95c89d95d8844c2df06d4b679d167dc8368d6433f6d53ce92b9fd5f55c168fd47c
-
Filesize
266B
MD5baf762bdf339f19f7d0bbf7eace92d56
SHA1928b20624b5c6611cddddb75c25becd0dd526593
SHA25635138f9b11b53c25c2d8c79660495534c21affeb48aee6b79df20fffb1c4a19c
SHA5124b31a650d73ca3cb2620ca7c1b5b301ede31a8d3ad8f0c2ee3c788971cdd5b5ae23057115dcf3e67604a19086524b209fba59811c1a83d4eac63d0bca09dd027
-
Filesize
78KB
MD5d9b7c4c38a9157248cdd5842d9b785f3
SHA19a9ef313c5456b48675953a22beae2113d4b65e4
SHA256cebb3e83fbc4b731a7104597c8225063b636dd8b3e41f3b61b1364c525716045
SHA512c7af673ad1f77dd5c5eff0dc21da63547e5a71eb976b8ce5711262f9e5d222375d8cd2888102648256a160da17b14a515859ad08b0243128867da669627a5545
-
Filesize
660B
MD513df5f64be656a1aef0d74895129f59c
SHA12d8e23144a00763a4c2e826e6b2e1cf723079393
SHA256b29cff325c3d29da0d11b0c40b85baf72a7938c26a5598779ad342be4346a626
SHA512f0dd4237e87386b33cac536f01baeda350237e2e001c7d0dfac030d490a3a01c612b57909949fcebce8355bdcd6f60aef6134783020e9720beb64b2f0ebe39ef
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65