Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Resource
win10v2004-20241007-en
General
-
Target
eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
-
Size
78KB
-
MD5
edadcbcef93c77248f4d2c0c723ac480
-
SHA1
9e63fbfcdc6d64d4e2eeb25f7b252ba6d5c1bd00
-
SHA256
eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89
-
SHA512
ef758c1a6b869ff711d6803e177e78670ab711868216881630108aa846ef1d63d824e9d92f99245eccf0c91939f26f1510fdfb12e5c2f16bd5f7932e144946c0
-
SSDEEP
1536:ZWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRM9/q51KS:ZWtHFonhASyRxvhTzXPvCbW2URM9/E
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 2424 tmpCAFD.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpCAFD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCAFD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe Token: SeDebugPrivilege 2424 tmpCAFD.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2604 wrote to memory of 1284 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 30 PID 2604 wrote to memory of 1284 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 30 PID 2604 wrote to memory of 1284 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 30 PID 2604 wrote to memory of 1284 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 30 PID 1284 wrote to memory of 1328 1284 vbc.exe 32 PID 1284 wrote to memory of 1328 1284 vbc.exe 32 PID 1284 wrote to memory of 1328 1284 vbc.exe 32 PID 1284 wrote to memory of 1328 1284 vbc.exe 32 PID 2604 wrote to memory of 2424 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 33 PID 2604 wrote to memory of 2424 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 33 PID 2604 wrote to memory of 2424 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 33 PID 2604 wrote to memory of 2424 2604 eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe"C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1328
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557caa1b253c31aea3433e023e1cd30a9
SHA13442799d504df477d419972615258a3fc9aa434a
SHA256b1a35918a3393b7bb1034cacac7a227f737856300acaa598b15513cfd5db8503
SHA512f23ed3fca0e928140d39cac774d637a59f6445270112c0decc93af12f4af44440c9f0327ee5a8c8081bfd47daf56578998c1332318eca6adbc8f65c6552a3608
-
Filesize
78KB
MD5911a3d1989a390e3d08fec28e2366f16
SHA1a5668591123e508cfcd40dc5fba92d9a2d0b2669
SHA25685c5bdbd82fbe4df238ae040d3db4355b146baf496ee8b2e2b62a468871596d9
SHA5128a717635bc921e3395c38d82833fa6dd881635a64af5fa036e094368ed6c8339414e71884877489e1bb892eb05f79409b63b2368463056854aa6d91141d9c192
-
Filesize
660B
MD5d20aa0bfe394b486b820ed03a8a1c2fe
SHA1554b0afb9ebd72f67db48978cec81e3855d83577
SHA256f084d010c2417e7c7868d57019efe680e026275ee99a3b13e96f27a4c5fa5bb8
SHA512cb0c054ddfe80725e64bb27a64de948eeae5e2c372d6f841b9ef88c11e53604a652f2d52e3c0d1a6e0d97a1d9af012f08e11103339e7eb1cd758ba1c6c391625
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
Filesize
15KB
MD5c3d41a3e6d7c6cca6804b4e5ec7ce3b1
SHA1eda63e6d893797a3104ccd7862117d7edaa1d62a
SHA256a23c5817b2250d693fa4be1074c9c23136526fb7b43b79010cc01c13e62cf4d6
SHA512e67fa9ba94cf05c46541374378c3211d4554e531b552630de87f11be5f756c52c18ca4849cfab75ca2e7cae190a36e7dd20932e8e56ba054fe92e0f844ca7cc8
-
Filesize
266B
MD50c6607694847e897726c54ed2c20eefd
SHA119ca151170c3213dda3ab32b496a1cd2cc81ce67
SHA2561d846cbbfe8af63d4da9803c28c01630f5f55f4475a7593bc95438e4f30a9258
SHA5122e8e220b7477368747f402fa820b0111cdda30951730e4340fbac5e33066e6a3115ea71dba4186dcab642bd5a59bfa3363444e7ceb1327712caa5e3c7bef377c