Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 11:45
Static task
static1
Behavioral task
behavioral1
Sample
76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Resource
win10v2004-20241007-en
General
-
Target
76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
-
Size
78KB
-
MD5
4bace1dc2a9db3db9638238233a29b60
-
SHA1
d4c157c6542dcb06b43f897a6926341772176165
-
SHA256
76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137
-
SHA512
e330d7485d5a028fb69fc5b76a47c3cdfef660cf9edac4191e07d35da5aca3b10f7bd822606e22bb0d17ad4883784bf11555ff9d63d02d13d32b99baa4ebcdb7
-
SSDEEP
1536:HPy58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtP6R9/U1wA:HPy586E2EwR4uY41HyvYg9/Y
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe -
Executes dropped EXE 1 IoCs
pid Process 1188 tmp8E75.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp8E75.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8E75.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe Token: SeDebugPrivilege 1188 tmp8E75.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4144 wrote to memory of 2204 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe 84 PID 4144 wrote to memory of 2204 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe 84 PID 4144 wrote to memory of 2204 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe 84 PID 2204 wrote to memory of 1980 2204 vbc.exe 87 PID 2204 wrote to memory of 1980 2204 vbc.exe 87 PID 2204 wrote to memory of 1980 2204 vbc.exe 87 PID 4144 wrote to memory of 1188 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe 89 PID 4144 wrote to memory of 1188 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe 89 PID 4144 wrote to memory of 1188 4144 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe"C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dsjg7icm.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB368E6883F74E64ABF86C67F3976CC6.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56299e2b6a1ef57833911b97d5789819c
SHA110afa304230c3536faf4e639d3250304058a65dc
SHA256da0c3b7b1a79ecb4555fddbc1638664dccd66dbb2cfde89935c83f1d154c3726
SHA51297c3776f65d2a5e76d934a889ad7f756889fe02577cd3db1be6780c6a52dac1ac9d665d34f6cdba7bf2138242bacb0567b0807c6f5623c2781698e11c78f1765
-
Filesize
14KB
MD5ee55ea1efbfa3dd90dc3c01f4e501dcf
SHA103e0caf3d157f604db59ed6a97545aa7386f1e6b
SHA256c8243e094be7cccf4b80c241bfacb147519333fea40122d315f627a47ff8e13b
SHA5122a9cfd10f2bf01a0dab28cd76255bdc054db9eb753217bcb34f27052fef2dd55cea532bcf95d93a6dfd9f3b5c8521d2bf26e013fe3b33b4c852deec7a32d65ff
-
Filesize
266B
MD57dfac119922323be15d7a6821c3ac599
SHA15533e61c482ef230858ec14d6aebe712d50afd97
SHA256ba63ab4233a8897745665e8f968b110b9c8adf248edf4e5d6094a7b19d879ec7
SHA51250916694a756e9f71f327da6bcab467394a39e6a4ff4865d09c37d20b4b2b08c1c9da6a597608ee5c355495db2ca5cd2e757d11fe93a5c7e82b4c5fe5439a2ff
-
Filesize
78KB
MD5c5a61193fd8748013104c29ab636196c
SHA16690aa391bc9124a498a01a7d7ad544e93c912ab
SHA2562001a01148a3601bed5152ed8ea6c5ffd9fda87eb85a1d06ce1396e3d9ec566c
SHA5125bf1b4e5b1c909b163682e275ce1763252c5dd8d543bf55c03e1304517c85c83f299760cbf5b9272919246a51ffe7491db1368259b7998b714ddfabf3b4e59bc
-
Filesize
660B
MD59451ab3c6975d6ab152135151a50387b
SHA117a3931ee5ce42e6528bd283deb994ae50bab9cc
SHA256827b8e624fe5d17dbc65e4f363c0653a802cba9e3bb656ed1c0a127ff51996ee
SHA5122f6b87329089bbca4f5bdc9565f32ec33f65192617894c537cd56ec3f69c69cccbcb788286e84e2b83fa0b9c05f7c4d8d5643ebced2a568a98d445af8dc79b05
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809