Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
Resource
win10v2004-20241007-en
General
-
Target
86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
-
Size
78KB
-
MD5
eb26f7f2335a2239eaf496c42f0306f0
-
SHA1
e9debffb6f57de27d125c28f79aa552f635633b2
-
SHA256
86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2f
-
SHA512
b910ba53e668174a11f0b9a8bc49a5bcb6683751c95b46706fa352d417a093f5ea9a6f6d2d673162bdf38aae046327ab255c6ad13e9c915e46786cdba5c3bd11
-
SSDEEP
1536:chPWV5rXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96v9/Hm1ab:gPWV5rSyRxvY3md+dWWZyk9/X
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe -
Deletes itself 1 IoCs
pid Process 1196 tmp9F5D.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1196 tmp9F5D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp9F5D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9F5D.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe Token: SeDebugPrivilege 1196 tmp9F5D.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1896 wrote to memory of 2392 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe 84 PID 1896 wrote to memory of 2392 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe 84 PID 1896 wrote to memory of 2392 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe 84 PID 2392 wrote to memory of 1360 2392 vbc.exe 87 PID 2392 wrote to memory of 1360 2392 vbc.exe 87 PID 2392 wrote to memory of 1360 2392 vbc.exe 87 PID 1896 wrote to memory of 1196 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe 90 PID 1896 wrote to memory of 1196 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe 90 PID 1896 wrote to memory of 1196 1896 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe"C:\Users\Admin\AppData\Local\Temp\86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w36z0cxp.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF364F2AFE0E47529242D533385ADAB1.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1360
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9F5D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD532a5f3d49ad2a3d314de57f40bff2818
SHA1e6d26b6a1df8ec7c4802d81b2d6acc174ebec957
SHA25609cef74147134e1c6db4dca1c4765e4e38d73607abe9f45640efec44231e815c
SHA5129871032a06cf289bd790aee344b70cdf9d3a02e79bee7eb30491e3d7aff8f8d0a284386de5246d24ee72e6a9c8ef0d812656a977228f25eabc9efec8116b020c
-
Filesize
78KB
MD5f2b5f06c56d399abd50160a38683d855
SHA15dd8003913c7e9cfd11c9e3a4a4bac98b372f476
SHA256fb5b601cae3e96f783bdd02c245ddfcd6de1f9995fc3b2ac097d5f0f628e2993
SHA512e7aedbc8ebfbb3b788cf732d722c9377bb5634ae9140da4a9ca71330f88cb36f8523d752b7bed98d5f2b57ebc786f958a7224ce442ade80a0a2c8a016a3ab7a7
-
Filesize
660B
MD503e2fe28cad72bb3af058d436987670b
SHA1ba13ffb7fb43ac9e7617b50d3e82b173e4cc67e0
SHA25687bfb46408b5e63ca0e481ce40c3f2b1b1043314583160f627ac9b08390e90a7
SHA51246dc7140fb56dec403f43f847dc00ea73a81536d020927d94ca21d7523c6f7a0a1ede9ccd83f583106368b670f355ef4fc4f8d53be61c735e8f7d963eed268ae
-
Filesize
14KB
MD59f721888b801fbb167fb17391d30c564
SHA1a4096ba15af99b514d971207ac0e6e236cc9f766
SHA256028574957feb76958c11024002e6f6b323f8b119a75f2741a52b0b8b99fc3da0
SHA512b7a1667e46c5765ae7e73b25b1eb5cdff8766f1a7fc472fb34fc293662ada3e0dc0e63b3d2b4fef1ef63c6fe6a96efba0fdb34fbf438a934ca5fc0bb23f33038
-
Filesize
266B
MD52eb91bc4169d8331615f9c987e0c940f
SHA16c71f5fe618bd775f79eab15476dc1980b1a1bfb
SHA2566973a3e8f0b25b0c73f53243192f900edf2e05b6eaa6d3d459d7cc62ea40ac85
SHA512449a3ea25a02ee2dadd2df010a1528b0bda772b87fa7d970b2cb02700c32706f051d50ee810f7f6a05120b0ae3cf54b603b6787d3c888fee2193fce6c38d2645
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107