Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Resource
win10v2004-20241007-en
General
-
Target
b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
-
Size
78KB
-
MD5
0d40169fe50fde60e4e88e57ef018dd0
-
SHA1
55fbbc205c7ac64b480281f8418e0c5e5d430872
-
SHA256
b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb
-
SHA512
860290b7444922a9ca23dcb37a927557ab6d44a3c00bea9f47950a23c6c6eaaf14e012f35308d4774905990c01483aa5974fd5704eeb374b3f2d6ea6bca2bcf7
-
SSDEEP
1536:FuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtew9/UT1Od:FuHFonhASyRxvhTzXPvCbW2Uew9/N
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe -
Executes dropped EXE 1 IoCs
pid Process 4976 tmp8608.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp8608.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8608.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe Token: SeDebugPrivilege 4976 tmp8608.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2688 wrote to memory of 4872 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe 83 PID 2688 wrote to memory of 4872 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe 83 PID 2688 wrote to memory of 4872 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe 83 PID 4872 wrote to memory of 3276 4872 vbc.exe 86 PID 4872 wrote to memory of 3276 4872 vbc.exe 86 PID 4872 wrote to memory of 3276 4872 vbc.exe 86 PID 2688 wrote to memory of 4976 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe 88 PID 2688 wrote to memory of 4976 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe 88 PID 2688 wrote to memory of 4976 2688 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD548678837cf13b1e4882f21d4c04a37d9
SHA1c78f8c6f83d2b72cc0ad10316b8c76df954facad
SHA2561174681a1397fa1031910c98876a93a1c02f47718a90fc3ee91e5e5607c6f6b0
SHA512c48c932d63ed8b5034e47d658f9ed152fe45f5394e3b77164d469631a4e2f076bb6f192346e6193da0dbfdfceee2b9d9404f67bef7ad13c179fb38d72534eb7b
-
Filesize
15KB
MD58eb61d6ff9adea6a5972b8ed9b9bc078
SHA124cac37e4dcd5d15737141622d7ee3f771559eda
SHA256688000902bc4dfe1ea4b4d53db0b47fdc55a4c8535ea21ab3698d469c56d3310
SHA5121463650a35965de5d3ce0b9a34a988adef951c862d2e25e5e6d00156e3c2d27c93c747fef59353b449fcc7dad890c085a0429174471db4a6d8d19532f5e77fc6
-
Filesize
266B
MD587fedf2af133a950e3695fb8c534c5d8
SHA1e5cd25e4c8b81495baecf098ff67a268e11c9936
SHA2566b2365b93cd2be0ef058ed9d1fc8d878c61e1df35f91c4fd0b2d16a02505553c
SHA512d8ab77f88fb5401b87a503ba55d97ec16a2c401ec084f344fbc8d2f9e877a15a2527800e8a582588ec81a266e3154d924e8fa9dbaaf2e2705fac9ed85f866826
-
Filesize
78KB
MD53a35fccc072f32e5c7e72418f1cd80d8
SHA1966e5dd518ac7d94790a0939cbe18454cec7fe71
SHA2568d18d8264e4fe43c5f03093086fec5e129f3cabe50d8f36e84e995428c5b8946
SHA51223f54e5e7974288a9d7347b83e089a9156acab3bfe06b5abdbe61a7dc8b516975c86bafc327956e843b1adc918a4fb661bde1444caa63f8feb7ecc55e15f015c
-
Filesize
660B
MD5511761bc67de9d7d3c0c13fdb3b1b7f8
SHA10957d1eb99b5bc3aa0fad888400bb1ac6a91499f
SHA256f34d8d467ee3b03fe0430ee6c7d06e5db44a7833590dbef360feffd7033f0e6d
SHA5127d04d1f35678140ebe25d637a43c247f9f221ebd9d97de0c59e8a639502a3de5ad96af5fd12ce1fd32c82ed436f7ae1b545fc73834a4073b802900c3f798368c
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c