Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Resource
win10v2004-20241007-en
General
-
Target
4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
-
Size
78KB
-
MD5
7fcb227cf50a8a6d141a28f5baf6857b
-
SHA1
bbaeca896472b6a7d1e67a545e9b537ff522fd97
-
SHA256
4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275
-
SHA512
70301203754303b20ae3765be57c98cae6c15389e566ed6187df71bb3ce600ea74cb6d015dfbba57caa6e21c2b7a6e2704e42a120fab06ab6cbcdbae90a51328
-
SSDEEP
1536:iV58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6N9/u1L08:iV586E2EwR4uY41HyvYl9/f8
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Deletes itself 1 IoCs
pid Process 3020 tmpEA20.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3020 tmpEA20.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpEA20.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEA20.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe Token: SeDebugPrivilege 3020 tmpEA20.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2824 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 31 PID 2704 wrote to memory of 2824 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 31 PID 2704 wrote to memory of 2824 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 31 PID 2704 wrote to memory of 2824 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 31 PID 2824 wrote to memory of 2716 2824 vbc.exe 33 PID 2824 wrote to memory of 2716 2824 vbc.exe 33 PID 2824 wrote to memory of 2716 2824 vbc.exe 33 PID 2824 wrote to memory of 2716 2824 vbc.exe 33 PID 2704 wrote to memory of 3020 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 34 PID 2704 wrote to memory of 3020 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 34 PID 2704 wrote to memory of 3020 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 34 PID 2704 wrote to memory of 3020 2704 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe"C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r6dufuwv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB39.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEA20.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEA20.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD546d5fcef91d06ad9ac1efe71b406cdf3
SHA1817341210253c7a52fd899172da36fee6580cf83
SHA256816579e1206b10e6027c3737fee6fe40dcec85ff61e978d0787588dd6f750d2e
SHA512f04d740b64209d896fcb16602b7c8a99b7230cca882b7ca06bdcf0eb8d04542f0c9941074e4af199865eea91b0283f88b8832713d107340ed4353660e036dce0
-
Filesize
14KB
MD5ac37aea28981d90585b285a5772b86b3
SHA1a4ca453a5938be93b9763323afcf281092048495
SHA25604f1266b943ae3f9a1bfd5f25659641506718c16740176185c901e7f895a5cdc
SHA5128ce58b78b056a5baa35883b17b5929fe82edb4e78a002f76c538943df16e80911a413d13edd9527d09aa492b06952821be3bb5bebb543580d77be1fba25fe169
-
Filesize
266B
MD575ab11b49e984b8323e20b57102684fc
SHA125dbc77c6a8a3def548b67f0d4d524d2d5fdf420
SHA25625dfd5e36f579aab02ad2161d32db3f84486a75b55d68f2f042ee4920467865e
SHA512db39fc51a825614bf66669103580154a1c976f6352698780353d32b354e35d578302862abd049ae69c8b923157430f6c4fab4376b99307d405945609ba1ae6b5
-
Filesize
78KB
MD58b869619c4c62a6ad56de97a52d5a56d
SHA1813af6706c1323d031b654aa0fb0afa989bea43b
SHA2563970d54eaa31e8bf2dbf775c4ff88e073be38a6defcc9f175226605c133ab016
SHA512918e83a8251b380fb13c51b7b17cc99fa71c7c956d44a10c7a60419a01ccf19948f3ba0e17a971bb4fb05cd8074ec284f07f1f10b003852b7fbe3233cb97aa2c
-
Filesize
660B
MD55aa482f127b5ad78f6b7e99f111b1951
SHA1f5b85898d189599f7caf5faa2c2e5ddfea7c416a
SHA256a7b78bf934d67f4c0dd33e8ee89759e7bfb85dd2c76e53a9e19d3c207aca8fae
SHA5120ba1cf4a1089bfcc2b7159f4ae0351f90933336fe49d05ee9be59b8050d94af7bc481783eadbe3bb3671d2f79dfe4816f8bb467dc71798c00797ee8cf6fc63e0
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809