Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 00:37

General

  • Target

    eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe

  • Size

    78KB

  • MD5

    edadcbcef93c77248f4d2c0c723ac480

  • SHA1

    9e63fbfcdc6d64d4e2eeb25f7b252ba6d5c1bd00

  • SHA256

    eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89

  • SHA512

    ef758c1a6b869ff711d6803e177e78670ab711868216881630108aa846ef1d63d824e9d92f99245eccf0c91939f26f1510fdfb12e5c2f16bd5f7932e144946c0

  • SSDEEP

    1536:ZWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRM9/q51KS:ZWtHFonhASyRxvhTzXPvCbW2URM9/E

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
    "C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1328
    • C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp

    Filesize

    1KB

    MD5

    57caa1b253c31aea3433e023e1cd30a9

    SHA1

    3442799d504df477d419972615258a3fc9aa434a

    SHA256

    b1a35918a3393b7bb1034cacac7a227f737856300acaa598b15513cfd5db8503

    SHA512

    f23ed3fca0e928140d39cac774d637a59f6445270112c0decc93af12f4af44440c9f0327ee5a8c8081bfd47daf56578998c1332318eca6adbc8f65c6552a3608

  • C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe

    Filesize

    78KB

    MD5

    911a3d1989a390e3d08fec28e2366f16

    SHA1

    a5668591123e508cfcd40dc5fba92d9a2d0b2669

    SHA256

    85c5bdbd82fbe4df238ae040d3db4355b146baf496ee8b2e2b62a468871596d9

    SHA512

    8a717635bc921e3395c38d82833fa6dd881635a64af5fa036e094368ed6c8339414e71884877489e1bb892eb05f79409b63b2368463056854aa6d91141d9c192

  • C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp

    Filesize

    660B

    MD5

    d20aa0bfe394b486b820ed03a8a1c2fe

    SHA1

    554b0afb9ebd72f67db48978cec81e3855d83577

    SHA256

    f084d010c2417e7c7868d57019efe680e026275ee99a3b13e96f27a4c5fa5bb8

    SHA512

    cb0c054ddfe80725e64bb27a64de948eeae5e2c372d6f841b9ef88c11e53604a652f2d52e3c0d1a6e0d97a1d9af012f08e11103339e7eb1cd758ba1c6c391625

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.0.vb

    Filesize

    15KB

    MD5

    c3d41a3e6d7c6cca6804b4e5ec7ce3b1

    SHA1

    eda63e6d893797a3104ccd7862117d7edaa1d62a

    SHA256

    a23c5817b2250d693fa4be1074c9c23136526fb7b43b79010cc01c13e62cf4d6

    SHA512

    e67fa9ba94cf05c46541374378c3211d4554e531b552630de87f11be5f756c52c18ca4849cfab75ca2e7cae190a36e7dd20932e8e56ba054fe92e0f844ca7cc8

  • C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.cmdline

    Filesize

    266B

    MD5

    0c6607694847e897726c54ed2c20eefd

    SHA1

    19ca151170c3213dda3ab32b496a1cd2cc81ce67

    SHA256

    1d846cbbfe8af63d4da9803c28c01630f5f55f4475a7593bc95438e4f30a9258

    SHA512

    2e8e220b7477368747f402fa820b0111cdda30951730e4340fbac5e33066e6a3115ea71dba4186dcab642bd5a59bfa3363444e7ceb1327712caa5e3c7bef377c

  • memory/1284-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/1284-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2604-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

    Filesize

    4KB

  • memory/2604-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2604-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2604-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB