Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2024, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Resource
win10v2004-20241007-en
General
-
Target
a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
-
Size
78KB
-
MD5
a7989493a8e5fd945b366d1230069c50
-
SHA1
21144907dbdbaa2ad41da6dfed7b3a93dd104b71
-
SHA256
a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906
-
SHA512
332e1ca4b60410afa1fb39b1edddfdd6d86d5168300eaec9a79e4ffaa5086f94ffaedf4f0cadb34eb717342db111eef41bdd38ea6519f4eadbcbf86af15009db
-
SSDEEP
1536:jPWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/u1vM:jPWtHa3Ln7N041QqhgD9/z
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe -
Executes dropped EXE 1 IoCs
pid Process 1488 tmpA299.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpA299.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA299.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe Token: SeDebugPrivilege 1488 tmpA299.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 448 wrote to memory of 3812 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe 84 PID 448 wrote to memory of 3812 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe 84 PID 448 wrote to memory of 3812 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe 84 PID 3812 wrote to memory of 3572 3812 vbc.exe 88 PID 3812 wrote to memory of 3572 3812 vbc.exe 88 PID 3812 wrote to memory of 3572 3812 vbc.exe 88 PID 448 wrote to memory of 1488 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe 90 PID 448 wrote to memory of 1488 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe 90 PID 448 wrote to memory of 1488 448 a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe"C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhlj5xdx.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC46E2461FEE4808A1F1244B30F956DE.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3572
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA299.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA299.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fb9e7650ef6642385e8153c72770b439
SHA1115797d1a7f104b8b5e2a5ae4a6a283b9b7947e5
SHA25654dcd9cd67fbe97302a63928df6d46643ce12dec661198e64ebe9f1bf99906ee
SHA5122916e0243137a767c80927efe77e1089d33ae202d2d8293b85ecb0e300433d01f1f2dc8f82e137c37c956749a24e7cbabad89dd1543be8ccd9f437791cfd29c4
-
Filesize
78KB
MD5faf4e1df15c3d88f0b274bae62d4182b
SHA16f255adef22c931787da5374758b8032a9e11448
SHA256566dc6446a88a6031d58d241e9f65889acf0c4bf3fe59b9c10f3263a4709f49e
SHA5120ffd9e6b492ff27b76bcb54214ee51ecc0a070132bad4e843b4ad109ac3e4a8a991b17fc37bfad198b5964d5415a3131d9ed4e98fca0e9e95c7dacb8660207dc
-
Filesize
15KB
MD55221d7380097cc0b01a97dda90ad3fdb
SHA1bdb9d92acaaefef62e88746c8e7c977b73b8f437
SHA256e45b1e751a507d519ad2e7da708ed73549661506a54441ee523ac6523e475c13
SHA512377b06318e9db6ef5993ed9025086e2bb0331aaf9684042afc2ef0f643a868469f6e196522ffc7511232f079e919a426c6926155b9d99b0e2dcd837f47c0ad2f
-
Filesize
266B
MD50739572656b8d31bb4bfcc5eb966763c
SHA1b444cfa382d1dc6cf9bf4126d52acb5db4906bd1
SHA2567cfa712a69d04fac85d01e9959c3798b71f1793afbc48b80d78d76d9a18ff920
SHA5122746fa39efbd43e84df88a4aa0ee4d5641efc72bd1c04de06b88e3f16ddf3693613d582ce074323da54e6b57989c79fbe18c364850abb1e9ae7ad9665691e2a8
-
Filesize
660B
MD55dbd73b17635d94b2de9f0d0510040ae
SHA1d16723eaa9a1c6bf5be3201dbc816c8b4850f3ef
SHA256af786fb8d8442e75624182c95a2235cbc676af4c84b53fc3b95cda4418125ca3
SHA5120a9edf03491c78fc48f632ad6236a290d83869b7357a7dfeaf5265cffbe739060bda309a35460d225e2f8d5910c680de3d9d5c9b6fc9040005e9d0d379389e9f
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65