Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
Resource
win10v2004-20241007-en
General
-
Target
1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
-
Size
78KB
-
MD5
862505ea452c4a0749cbbdd38a99a1b0
-
SHA1
fc2feda64ac0921eb0bfbf4f73832615aa7397bf
-
SHA256
1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268ac
-
SHA512
162fd800a580c25a48f0be06dcbc4a75aa65d0f680d158b37f92d3b9e70a6022b34d1261e0a2919be7418e714ee113bd6ce1a471b598b89f5af454d56f4504f2
-
SSDEEP
1536:kRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC629/JWV16A:kRWV5jOSyRxvhTzXPvCbW2Ue9/a
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe -
Executes dropped EXE 1 IoCs
pid Process 604 tmpB074.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpB074.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB074.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe Token: SeDebugPrivilege 604 tmpB074.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4312 wrote to memory of 4740 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe 82 PID 4312 wrote to memory of 4740 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe 82 PID 4312 wrote to memory of 4740 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe 82 PID 4740 wrote to memory of 4768 4740 vbc.exe 84 PID 4740 wrote to memory of 4768 4740 vbc.exe 84 PID 4740 wrote to memory of 4768 4740 vbc.exe 84 PID 4312 wrote to memory of 604 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe 85 PID 4312 wrote to memory of 604 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe 85 PID 4312 wrote to memory of 604 4312 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe"C:\Users\Admin\AppData\Local\Temp\1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwjib6ew.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B514A043B3C43A68555EAA72B85DF0.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB074.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB074.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b73ae7130b2744116f3b38e9d236b30f
SHA1c92e6bd550812e8ece7cb8197952dd78a84e3f70
SHA2565d0c97518475995e0ab96093d19777a01008b487e73a778db16c27a233ead3c1
SHA51233dab4706fcd5563d3f6d07a3ed380251f038a0350265e705b34c4df561534684d54a34628a7ff7b22fa6b49fb9c75afd4da33d31d586eb2d1fb532cade95adc
-
Filesize
14KB
MD5107bc5533cd7ef2a612e3c5f0ecd6480
SHA1f34c1965ff453e2d75dda4bd2b412232c02e24ad
SHA256e7b020a3cbad8a5148e16fe02ccb68514911cbfadd870ed03d01a8110d094ade
SHA512d0cfc8cd41167f9d73858e6d1c5da456029f4bbdeee320470b3cb185fedf59dc5283ebaa18daf84ac830c0775359df428a76a9d8109ad09f78bbcbe1955178fb
-
Filesize
266B
MD5de8bdb5f53348c1424991704d77cd557
SHA148489a6e88bb4a4e256d7e66e677318c7b3553ea
SHA25699b0474989f48badef36b4277aa1d3c4523b934755a78f0acbfeb8268f7da5f5
SHA512f179740f258966aa7a14aa9db4dbfe49b7d1760f05bf8043db4bbde9a4833776474317fdb9d1dfdcf94cf27ad0599c659443eeb5a3035dd3639b0edf2ea088c6
-
Filesize
78KB
MD5b7086f5e79289587923c787862b32971
SHA1c3022a0d3edcc4a05d3935b5a01356f79281eac5
SHA256036680b7b0ba14248b99245b7c485014da25c9a0f96a9269ed3f059bb74029ae
SHA512c11ed0e399d26165181ab836b3fd1f8e44ccbb8966bbfab4bc3ff96fdd59060d387eb994560baa454a3c9458885402d0544f69c8fb74a3c9cfaec5ab63afc30b
-
Filesize
660B
MD59d74b1bdea4a5af8582d7d8fe941561b
SHA1e6e61870d3e3faaad77081e1c8c45409ca3ef485
SHA2569962b6406d8d4184af3c65c341cbbf64fcf745ae3551f27529fd6c082d8ce2fb
SHA512d2c657b794c73896d8fc3ee3d943c9ea8f576198a54ddd2fe1d2f21fe1efc807ed1b28ada26c6cbcbee5b4fe961d00341ae182b2e02e673fa2e12f0d40a1fad9
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c