Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2024, 23:35
Static task
static1
Behavioral task
behavioral1
Sample
d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Resource
win10v2004-20241007-en
General
-
Target
d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
-
Size
78KB
-
MD5
88bdc277be811cc4d1a6cdce3de630a0
-
SHA1
4430e568aea8bd2deef33dad79f35753d44ace2a
-
SHA256
d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351
-
SHA512
64c6252a6f2116073cbd40c603af35763ca265419c8c3fb9dd50eaa16af9dc05a0efe745404327831a24cf05440f9599d987f15702af2915c48959eddc2de023
-
SSDEEP
1536:6WtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtw9/F1kJ:6WtHFon3xSyRxvY3md+dWWZyw9/Y
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe -
Executes dropped EXE 1 IoCs
pid Process 4436 tmpD764.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpD764.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD764.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe Token: SeDebugPrivilege 4436 tmpD764.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4316 wrote to memory of 976 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe 86 PID 4316 wrote to memory of 976 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe 86 PID 4316 wrote to memory of 976 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe 86 PID 976 wrote to memory of 3744 976 vbc.exe 89 PID 976 wrote to memory of 3744 976 vbc.exe 89 PID 976 wrote to memory of 3744 976 vbc.exe 89 PID 4316 wrote to memory of 4436 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe 91 PID 4316 wrote to memory of 4436 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe 91 PID 4316 wrote to memory of 4436 4316 d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe"C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqubqzl1.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BBED9F75CED4AECA1ED79906BE28E34.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3744
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD764.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD764.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cee4412701720db8fac2fcb86e08c3bd
SHA17293e98428e0f99f492e3af073205b49d80cdfff
SHA256d05cafcffe42cb0caf8fc3fc352838e275c8074ef9dc27e9ae82fabc3d3e9c58
SHA5128d725e6b710258aa5d33deb0555777426a57446e56a3d4bad7d53d1b7e2744cec500228603d06dfa73037b4e4276e53b8e7d0fd7056379bca6b81819fb9c6909
-
Filesize
78KB
MD5e1eae382e776e3a3d5915238e423e4b1
SHA12e05643525f3cf21106e644cf45cf5fc944044b5
SHA256b015864d93d85f57ada220f71d86105e3bbf76ba125ceb7cfc8fa97936ead756
SHA512dbe22665e1e291fd3acbc107387d1ae73472ac3b5b38b7f2b8eb9af5a6c6a065e02668610be27fcb01721648531e8d3a555b2632797e5b297a7f5eae94324dc0
-
Filesize
15KB
MD5c11d957de00063fc879e13315655ce71
SHA1da3b4152be028ae34b4db2eed4f3737df197fd48
SHA256a8b9bba88ab62d5eced5b37c077abe976153a686f93194ea070808b6b587baa2
SHA512ed7825a60da98b9f67e2c1580df16df368e81be4c23d1018a22f98e656d11c695861b7fd72a30dd8a1a1394e8b82e94f163914cc1fbe60b11ba314b434904f2f
-
Filesize
266B
MD5e7cfa47a7e411cab6254ff245db1771e
SHA19b964fce6a730d0865aee36869fa8f1752a76c3a
SHA25670f4642fcd99e08a445e952c2c4146decdc8698af609937526d4343b05b90032
SHA512ca110769ee2ec29c47c660fcf93537af7fd2626796b5e5b76045d4f53eec88ff5fbf2077793160adcf1654cedcf7c4367b40008d02175d1e37b29561ac1e9526
-
Filesize
660B
MD52c9f26a3e244eb9c8b41ab457bf6af96
SHA17dd4e5ca55b47e42c5897fd9cb0b11202716d3c7
SHA256f209c9e7ec54c2242473c5535ce1172542ffd24858c3400f30107eefaab31497
SHA512d25a748860f9215e3ca2734aa3d6d7a68029901e29dc74293a221a75ffdd5f7326d022b7088c165526c45066903f1a104a9d579831deeea0680437ebb628583c
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107