Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/10/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Resource
win10v2004-20241007-en
General
-
Target
f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
-
Size
78KB
-
MD5
0e6596b3209273042786b0da91593250
-
SHA1
f4dfbe814f931ec000ece9d9d390e21491815949
-
SHA256
f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f
-
SHA512
83a4e62690553d09cab50c6c8fac07d80d377f9875c51e71ae563e24d6fa066e8af64a8cf1469418f7849d756977eba9475390270ff8acdf36588d339addd943
-
SSDEEP
1536:8A5jSAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Y9/D1Wv:Z5jSAtWDDILJLovbicqOq3o+nw9/y
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 2684 tmpE418.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpE418.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE418.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe Token: SeDebugPrivilege 2684 tmpE418.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2952 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 31 PID 2544 wrote to memory of 2952 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 31 PID 2544 wrote to memory of 2952 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 31 PID 2544 wrote to memory of 2952 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 31 PID 2952 wrote to memory of 1960 2952 vbc.exe 33 PID 2952 wrote to memory of 1960 2952 vbc.exe 33 PID 2952 wrote to memory of 1960 2952 vbc.exe 33 PID 2952 wrote to memory of 1960 2952 vbc.exe 33 PID 2544 wrote to memory of 2684 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 34 PID 2544 wrote to memory of 2684 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 34 PID 2544 wrote to memory of 2684 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 34 PID 2544 wrote to memory of 2684 2544 f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe"C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wbzxgcjp.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE513.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE512.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5125ee2aef99f2b2654de46d2f9b3d961
SHA131fbed0e4e3a00f298d39e00f6bab052d14010d1
SHA2568bd1e42e45b8ecb04f7e8ca9c0a0dada2bb3993509bd0380b7b538388e3ff368
SHA512dbf8db925d38563621bcea3209d090d7145b9a0968f4781084089f31a3e4228801d5e94974a826608070bf6ed39085e9eab0440dcfeb73854e872fe2c4ac85fb
-
Filesize
78KB
MD5ec992298e3e4cea255cae42d74c5aa27
SHA1a2507e8a3f1a57da994f050add45a5ab33df789b
SHA25647c8c59ef9a8a358494e695961d12921ad9eb4f5c68308212b1b0a77fdcdb1b9
SHA512d17a27554314656501728177d477bcd2657ac3da3e5680ea0d7affd3e32d3b1919967eff562f9f8ee395435008b19baff4c9b9c6092c1c9aaf58a288cb7a1607
-
Filesize
660B
MD58ff74cc8f3d8cac4e93339caf234e8f7
SHA19e12710bc5b87434d8d0e80a9bf16ecf00c362cc
SHA256339527edd3c23e117c9dd4ffe329e88698424e673c50b0f17c0128dacd0b969e
SHA5122871ec75c4fc5599b5b2b0632014d056c5d6381ab55d0f04f4266a0e52e540d65478696c9d67d604131baf22fa08f5cef851a69949a5623b2c4560c513aa9d53
-
Filesize
14KB
MD53f1176fa728d275786469fb14ebac573
SHA12addf92afa27569807c7b62d072f505c5355858a
SHA256f70e651201a0023e964db08f4af2f4207625d5840d222041e70fd60f5ff0c62e
SHA512e1fe179da45c17d69ca8a0c0183ebb774e05b6ce911068cc712ada167a76cdee18c4cdf1027310cfc6421f2008909dc8029ca2713c9cc2cc579f6151d05a6076
-
Filesize
266B
MD5930107f339fcf90dcb098f42572b4761
SHA19b0083e3a523dc173972710ccbb70a90621d993e
SHA256f1315e2ac41831e1e8490ad65296fb65a02816545ada69258af4c9f102832d07
SHA51238f5d72ec067e6b439913deaee972678951ba5c2f93588af5685aea924634b3101c02db2f8f0a2fa3d70394b261b4bf1014263ca716032bbbd4f954d7960d5fe
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c