Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2024, 20:21

General

  • Target

    190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe

  • Size

    78KB

  • MD5

    daa403e3352b2457a3c6446877612209

  • SHA1

    b69c26b5d22257793cfcf4e06a6ad9dd097da72a

  • SHA256

    190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061

  • SHA512

    a4c5fcc13aec1001eefdf51b47b9dd7a7b1d358eba5d27a774222f5bdc34c1571aa901bb7af95fb04b1d7352c6d18bc618109d4b9bc17d28a3d9c46160907a93

  • SSDEEP

    1536:wc58YpJywt04wbje37TazckwzW4UfSqRovPtoY0BQt96A9/n1mI:wc58WJywQj2TLo4UJuXHhn9/N

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
    "C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axsuovdu.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAB5.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2500
    • C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESDAB6.tmp

    Filesize

    1KB

    MD5

    edf5f06bb926086121b4550edbc19ffb

    SHA1

    a22bfd71d0cad879ddf154073bda4287ad779400

    SHA256

    30df168a0e4e705b8dd57f5d215350931710728cd5010bb3ce85ba6a08a4de2b

    SHA512

    c636e49b64c16d143ba306471430ecb5ea273b00440a44b30f6d1d1c76194552bb9b0bd025aa9fd4b85678510c279d9ab741cb031290b16c33e65832264733ee

  • C:\Users\Admin\AppData\Local\Temp\axsuovdu.0.vb

    Filesize

    14KB

    MD5

    3d61f670a8434da64de9d5d949ca5dcb

    SHA1

    dbd6e66c01bd22ea6b541954c0cd17748cfc6889

    SHA256

    c1cf6f601ef6246d1ea418d4f01051f71f056d1267edfb6b3192f7e05d35c5a2

    SHA512

    9dd38ec421182bb438b14d9351b4775f2eb48151283bddd9007f9fe1469fb1a50cf47a821eae3001f17a3878eafabe3a0ceb16485ce22a1da24caffbb0951f76

  • C:\Users\Admin\AppData\Local\Temp\axsuovdu.cmdline

    Filesize

    266B

    MD5

    d54cca396068554f62d4e017fb5c4e91

    SHA1

    3d98e5b02e155821d39f5873b4a7ee67220b6ccf

    SHA256

    394210cea6b47442ffff1b6ca450e7fd7e31730a0e0b750c3ce3255d3e00faf8

    SHA512

    4562a7299082b0b7e7c2e96367502ec27586be921f96515a6a941efba71a2f0610be708e2210436b7e12a3a38e1c7cefed9555fec0e8b7abec06f92a5536ce2d

  • C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe

    Filesize

    78KB

    MD5

    1ae0bbd7ff1362ef297b1e11535ce69c

    SHA1

    63ee2dedb2886fcd2974c14e639d71d9bb72a15a

    SHA256

    16efad86e3ff42fa348f37c1b45443710cb0689454e3bd4392c2b6ca596c6a5f

    SHA512

    4325beee27e4ccb71b37f3f187079f4dc319aa6d805ebfb40ca424f3ac741c7e28463a5dd175df113ca530ab44e34144e858cd727082919fae2d219d0a592e64

  • C:\Users\Admin\AppData\Local\Temp\vbcDAB5.tmp

    Filesize

    660B

    MD5

    b4ad0a160a1af2f45a0c1492c9fcac27

    SHA1

    6713177db040be2f415086044909bd3d6780d6c5

    SHA256

    589a62db086ea962723b0116106728e3596ec9ca1521a3feb98c6563d4ecf416

    SHA512

    2c30c59cf9c9def5bb915666a368ecabf34eb1635a58f12ab48b80351d18948e3eb057262dce01417791f6393a134627ef210113e41ce8a9ec1e5cbf5359849e

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8008b17644b64cea2613d47c30c6e9f4

    SHA1

    4cd2935358e7a306af6aac6d1c0e495535bd5b32

    SHA256

    fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

    SHA512

    0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

  • memory/2464-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

    Filesize

    4KB

  • memory/2464-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2464-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2464-24-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-8-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB