Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Resource
win10v2004-20241007-en
General
-
Target
190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
-
Size
78KB
-
MD5
daa403e3352b2457a3c6446877612209
-
SHA1
b69c26b5d22257793cfcf4e06a6ad9dd097da72a
-
SHA256
190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061
-
SHA512
a4c5fcc13aec1001eefdf51b47b9dd7a7b1d358eba5d27a774222f5bdc34c1571aa901bb7af95fb04b1d7352c6d18bc618109d4b9bc17d28a3d9c46160907a93
-
SSDEEP
1536:wc58YpJywt04wbje37TazckwzW4UfSqRovPtoY0BQt96A9/n1mI:wc58WJywQj2TLo4UJuXHhn9/N
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2272 tmpD9AC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD9AC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2472 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 31 PID 2464 wrote to memory of 2472 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 31 PID 2464 wrote to memory of 2472 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 31 PID 2464 wrote to memory of 2472 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 31 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2464 wrote to memory of 2272 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 34 PID 2464 wrote to memory of 2272 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 34 PID 2464 wrote to memory of 2272 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 34 PID 2464 wrote to memory of 2272 2464 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe"C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axsuovdu.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAB5.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5edf5f06bb926086121b4550edbc19ffb
SHA1a22bfd71d0cad879ddf154073bda4287ad779400
SHA25630df168a0e4e705b8dd57f5d215350931710728cd5010bb3ce85ba6a08a4de2b
SHA512c636e49b64c16d143ba306471430ecb5ea273b00440a44b30f6d1d1c76194552bb9b0bd025aa9fd4b85678510c279d9ab741cb031290b16c33e65832264733ee
-
Filesize
14KB
MD53d61f670a8434da64de9d5d949ca5dcb
SHA1dbd6e66c01bd22ea6b541954c0cd17748cfc6889
SHA256c1cf6f601ef6246d1ea418d4f01051f71f056d1267edfb6b3192f7e05d35c5a2
SHA5129dd38ec421182bb438b14d9351b4775f2eb48151283bddd9007f9fe1469fb1a50cf47a821eae3001f17a3878eafabe3a0ceb16485ce22a1da24caffbb0951f76
-
Filesize
266B
MD5d54cca396068554f62d4e017fb5c4e91
SHA13d98e5b02e155821d39f5873b4a7ee67220b6ccf
SHA256394210cea6b47442ffff1b6ca450e7fd7e31730a0e0b750c3ce3255d3e00faf8
SHA5124562a7299082b0b7e7c2e96367502ec27586be921f96515a6a941efba71a2f0610be708e2210436b7e12a3a38e1c7cefed9555fec0e8b7abec06f92a5536ce2d
-
Filesize
78KB
MD51ae0bbd7ff1362ef297b1e11535ce69c
SHA163ee2dedb2886fcd2974c14e639d71d9bb72a15a
SHA25616efad86e3ff42fa348f37c1b45443710cb0689454e3bd4392c2b6ca596c6a5f
SHA5124325beee27e4ccb71b37f3f187079f4dc319aa6d805ebfb40ca424f3ac741c7e28463a5dd175df113ca530ab44e34144e858cd727082919fae2d219d0a592e64
-
Filesize
660B
MD5b4ad0a160a1af2f45a0c1492c9fcac27
SHA16713177db040be2f415086044909bd3d6780d6c5
SHA256589a62db086ea962723b0116106728e3596ec9ca1521a3feb98c6563d4ecf416
SHA5122c30c59cf9c9def5bb915666a368ecabf34eb1635a58f12ab48b80351d18948e3eb057262dce01417791f6393a134627ef210113e41ce8a9ec1e5cbf5359849e
-
Filesize
62KB
MD58008b17644b64cea2613d47c30c6e9f4
SHA14cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA5120c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea