Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2024, 18:13

General

  • Target

    4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe

  • Size

    78KB

  • MD5

    7fcb227cf50a8a6d141a28f5baf6857b

  • SHA1

    bbaeca896472b6a7d1e67a545e9b537ff522fd97

  • SHA256

    4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275

  • SHA512

    70301203754303b20ae3765be57c98cae6c15389e566ed6187df71bb3ce600ea74cb6d015dfbba57caa6e21c2b7a6e2704e42a120fab06ab6cbcdbae90a51328

  • SSDEEP

    1536:iV58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6N9/u1L08:iV586E2EwR4uY41HyvYl9/f8

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
    "C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r6dufuwv.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB39.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Users\Admin\AppData\Local\Temp\tmpEA20.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEA20.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESEB3A.tmp

    Filesize

    1KB

    MD5

    46d5fcef91d06ad9ac1efe71b406cdf3

    SHA1

    817341210253c7a52fd899172da36fee6580cf83

    SHA256

    816579e1206b10e6027c3737fee6fe40dcec85ff61e978d0787588dd6f750d2e

    SHA512

    f04d740b64209d896fcb16602b7c8a99b7230cca882b7ca06bdcf0eb8d04542f0c9941074e4af199865eea91b0283f88b8832713d107340ed4353660e036dce0

  • C:\Users\Admin\AppData\Local\Temp\r6dufuwv.0.vb

    Filesize

    14KB

    MD5

    ac37aea28981d90585b285a5772b86b3

    SHA1

    a4ca453a5938be93b9763323afcf281092048495

    SHA256

    04f1266b943ae3f9a1bfd5f25659641506718c16740176185c901e7f895a5cdc

    SHA512

    8ce58b78b056a5baa35883b17b5929fe82edb4e78a002f76c538943df16e80911a413d13edd9527d09aa492b06952821be3bb5bebb543580d77be1fba25fe169

  • C:\Users\Admin\AppData\Local\Temp\r6dufuwv.cmdline

    Filesize

    266B

    MD5

    75ab11b49e984b8323e20b57102684fc

    SHA1

    25dbc77c6a8a3def548b67f0d4d524d2d5fdf420

    SHA256

    25dfd5e36f579aab02ad2161d32db3f84486a75b55d68f2f042ee4920467865e

    SHA512

    db39fc51a825614bf66669103580154a1c976f6352698780353d32b354e35d578302862abd049ae69c8b923157430f6c4fab4376b99307d405945609ba1ae6b5

  • C:\Users\Admin\AppData\Local\Temp\tmpEA20.tmp.exe

    Filesize

    78KB

    MD5

    8b869619c4c62a6ad56de97a52d5a56d

    SHA1

    813af6706c1323d031b654aa0fb0afa989bea43b

    SHA256

    3970d54eaa31e8bf2dbf775c4ff88e073be38a6defcc9f175226605c133ab016

    SHA512

    918e83a8251b380fb13c51b7b17cc99fa71c7c956d44a10c7a60419a01ccf19948f3ba0e17a971bb4fb05cd8074ec284f07f1f10b003852b7fbe3233cb97aa2c

  • C:\Users\Admin\AppData\Local\Temp\vbcEB39.tmp

    Filesize

    660B

    MD5

    5aa482f127b5ad78f6b7e99f111b1951

    SHA1

    f5b85898d189599f7caf5faa2c2e5ddfea7c416a

    SHA256

    a7b78bf934d67f4c0dd33e8ee89759e7bfb85dd2c76e53a9e19d3c207aca8fae

    SHA512

    0ba1cf4a1089bfcc2b7159f4ae0351f90933336fe49d05ee9be59b8050d94af7bc481783eadbe3bb3671d2f79dfe4816f8bb467dc71798c00797ee8cf6fc63e0

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    6870a276e0bed6dd5394d178156ebad0

    SHA1

    9b6005e5771bb4afb93a8862b54fe77dc4d203ee

    SHA256

    69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

    SHA512

    3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

  • memory/2704-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

    Filesize

    4KB

  • memory/2704-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2704-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2704-23-0x00000000745A0000-0x0000000074B4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2824-8-0x00000000745A0000-0x0000000074B4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2824-18-0x00000000745A0000-0x0000000074B4B000-memory.dmp

    Filesize

    5.7MB