Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 15:06

General

  • Target

    d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe

  • Size

    78KB

  • MD5

    5fe6e6c238aeeae9b31020099714d230

  • SHA1

    8f5746cd718d6004afef9c00df899f519e3d642c

  • SHA256

    d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662

  • SHA512

    ffcd84dd45465c8f69e183b36ef7eed4801353b940cb8bfb9683f2fc65c55e6749ff580c48b6e1262c35f711e734fec4008364866fab3d79c433366054cbc548

  • SSDEEP

    1536:VRCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteKb9/k1/A:VRCHFq3Ln7N041QqhgeKb9/l

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
    "C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekl9vo8s.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6327.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6326.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2828
    • C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES6327.tmp

    Filesize

    1KB

    MD5

    8d511ab42f54638346e85d092c7b5720

    SHA1

    5c774b8388359b73a14dc067bddb431ca1a79e6d

    SHA256

    1eb233b5451a2e865ba5cac743346c1c9d49879c34e107f70d3751daa29de1ca

    SHA512

    239a50f7a7386dd9fe07497af051b1761eab1d15d3ad135e67396bd6e69191b564f842fa27bf290caa8a635dc8810255b8e8240e9489b36e0bfd06c000fcdb98

  • C:\Users\Admin\AppData\Local\Temp\ekl9vo8s.0.vb

    Filesize

    15KB

    MD5

    df5da9e4a2042e634a197d44d83e5cfd

    SHA1

    41f2cc46a734102498f3815a103c01eaa63c8ae5

    SHA256

    f18a9c6d5dfe7c5c1e186c69e232c0fb385f02be0135ea0ac6db14138701e3ca

    SHA512

    46a1ea37472de264dd8351dab8b44964f36a0b487493c03a6e65ad6552442b95c89d95d8844c2df06d4b679d167dc8368d6433f6d53ce92b9fd5f55c168fd47c

  • C:\Users\Admin\AppData\Local\Temp\ekl9vo8s.cmdline

    Filesize

    266B

    MD5

    baf762bdf339f19f7d0bbf7eace92d56

    SHA1

    928b20624b5c6611cddddb75c25becd0dd526593

    SHA256

    35138f9b11b53c25c2d8c79660495534c21affeb48aee6b79df20fffb1c4a19c

    SHA512

    4b31a650d73ca3cb2620ca7c1b5b301ede31a8d3ad8f0c2ee3c788971cdd5b5ae23057115dcf3e67604a19086524b209fba59811c1a83d4eac63d0bca09dd027

  • C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp.exe

    Filesize

    78KB

    MD5

    d9b7c4c38a9157248cdd5842d9b785f3

    SHA1

    9a9ef313c5456b48675953a22beae2113d4b65e4

    SHA256

    cebb3e83fbc4b731a7104597c8225063b636dd8b3e41f3b61b1364c525716045

    SHA512

    c7af673ad1f77dd5c5eff0dc21da63547e5a71eb976b8ce5711262f9e5d222375d8cd2888102648256a160da17b14a515859ad08b0243128867da669627a5545

  • C:\Users\Admin\AppData\Local\Temp\vbc6326.tmp

    Filesize

    660B

    MD5

    13df5f64be656a1aef0d74895129f59c

    SHA1

    2d8e23144a00763a4c2e826e6b2e1cf723079393

    SHA256

    b29cff325c3d29da0d11b0c40b85baf72a7938c26a5598779ad342be4346a626

    SHA512

    f0dd4237e87386b33cac536f01baeda350237e2e001c7d0dfac030d490a3a01c612b57909949fcebce8355bdcd6f60aef6134783020e9720beb64b2f0ebe39ef

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/2476-0-0x00000000740A1000-0x00000000740A2000-memory.dmp

    Filesize

    4KB

  • memory/2476-1-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2476-2-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2476-24-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2932-8-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2932-18-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB