Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

62047a3ae1...6N.exe

windows7-x64

10

62047a3ae1...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe

  • Size

    78KB

  • MD5

    2df643bd3c95f5b076371b9b15982100

  • SHA1

    eab6399e99c99a6450ef68a3ae70d619ec89a08a

  • SHA256

    62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6

  • SHA512

    76753cd59359055b46f7bd87c2acfb01fd42a1a157160e3b645d4ba66d60a29051062401b3da390e5503180969d0b140f926f53ac2b54ad8b4d61dc0ee6f31f3

  • SSDEEP

    1536:ec58ddy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6c9/51S8:ec58In7N041Qqhg09/b

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a7smifhh.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB711783A6A324BB0A36E245791BD36F9.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5064
    • C:\Users\Admin\AppData\Local\Temp\tmp7494.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7494.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES75BC.tmp
    Filesize

    1KB

    MD5

    d5c1e95a984311588b6e19b31bab18fc

    SHA1

    2f2203c41bf88b3f8cb84ac1bd2bc735cc1fcaea

    SHA256

    ce8bcb1723bb6205b434ab37da73ebc1258cf58bfbfde3ba7e3cadf5294b7e63

    SHA512

    fca3fe8352aaa4a23ba806833ecda94158ac3e2579ad4db2a73ebdc7beba1975ac011b68c34f934775599a675a3bda43346e8c743ee96d74afab36f5b7f4f45e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a7smifhh.0.vb
    Filesize

    14KB

    MD5

    75b3180d66a49d2f8fc4d7ab1fbd7c79

    SHA1

    9739aef8533dad910bd623c33772fb4e93cd9996

    SHA256

    3c5bee9e57a03b477de06f889ce980af3b75697dbebabdde8549ab0b0768aba6

    SHA512

    bb75772c88f5c5b205595d9ca06b766427ac5746c27cba23954acd4121085ecd8700a0a6c86248f56fd23e70cf2b8179044326c7b55ce7c731a0b1fcf4b28310

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a7smifhh.cmdline
    Filesize

    266B

    MD5

    7af5b7350cadf2a9d9633faa52872864

    SHA1

    3dc8427e248b7048a56760c9c4bba92944418c4e

    SHA256

    44c423bf65faaea9b4d251ebf5e6af9e2ce997e9aaee3dafc6861d741f58550b

    SHA512

    e53de9f3152b54d5fa971fe3fe12ee9d5bf9167d6d238fa3e77b6ad1e01c6d43f29c562d2345bba47b7e743465eb909d3a7e72ca959441707ef97163105efbe8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7494.tmp.exe
    Filesize

    78KB

    MD5

    2a9f30a2755f3326f1b9516de22cebc2

    SHA1

    5b8229db05726f146c258af2e35cce6849a1f3aa

    SHA256

    2ab110f277b40e950e46dbc140fa3f5232275d91ecca00de19aa6508dc8389ee

    SHA512

    532ae124aee51153fd9008f2a770968565d25d06834ec78f7cc3e5ed2f6ef2f572945c2c6c9d9a03373b8d15fd8f70f23133c05d3fb0134af62b7e5a9148615d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcB711783A6A324BB0A36E245791BD36F9.TMP
    Filesize

    660B

    MD5

    de8f0adbdc2f613a7c184dc2530b95dd

    SHA1

    cf74bd101ed2996d5ea0f42d7199e0bd684b013e

    SHA256

    f453dd24d65827560b84830475c63d20320f7ae2bb662aca5c242ecbd8f5322f

    SHA512

    c4098444e964f6c01287178ab61950e054059255890abf612548c6ca6b18a792bee51fe1310fd19305c3f0186c3adc531389293bb55182bb9f3b81cf1c034b61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/784-1-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/784-2-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/784-0-0x00000000747E2000-0x00000000747E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/784-22-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2040-23-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2040-24-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2040-25-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2040-27-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2040-28-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2040-29-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3560-18-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3560-9-0x00000000747E0000-0x0000000074D91000-memory.dmp

    Filesize

    5.7MB

    Download