Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/11/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
Resource
win10v2004-20241007-en
General
-
Target
4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
-
Size
78KB
-
MD5
3582cd6030e1db8dd72f768906e2f130
-
SHA1
fb55fc2001e1264e1fb7eb75148d965e705966c6
-
SHA256
4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25
-
SHA512
3b38dff43364649f5d3af5d85c1f2205b947065c33621dc36d10311071822307636fca712abe1b90d7272097eda17e1bd99cf348b4a9d627edfe5158382a0bea
-
SSDEEP
1536:XHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLu9/P1Ab:XHFoI3DJywQjDgTLopLwdCFJzLu9/Q
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2392 tmp9CFB.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9CFB.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1452 wrote to memory of 1240 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 30 PID 1452 wrote to memory of 1240 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 30 PID 1452 wrote to memory of 1240 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 30 PID 1452 wrote to memory of 1240 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 30 PID 1240 wrote to memory of 2508 1240 vbc.exe 32 PID 1240 wrote to memory of 2508 1240 vbc.exe 32 PID 1240 wrote to memory of 2508 1240 vbc.exe 32 PID 1240 wrote to memory of 2508 1240 vbc.exe 32 PID 1452 wrote to memory of 2392 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 33 PID 1452 wrote to memory of 2392 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 33 PID 1452 wrote to memory of 2392 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 33 PID 1452 wrote to memory of 2392 1452 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe"C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfee2g6u.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5393eb06d5fa25b24b9e3a0b735dd6343
SHA10a8f3338205b84cbc04c4362bdc8eff86c6ab47b
SHA25617a8636cb4645043383c1cb264cb328a0004a496953ca2d676e4751f33e10f86
SHA5126c8cc67fd2c4ac6635003884ef6728033253ba325ae133455fa6e21589a6a4a89fea437a379794e564d6e05b56fbcf65fd7610e115de98c9b0e79dd36a5b9dfb
-
Filesize
15KB
MD5d1d00b39deca1a4277374587633ee81a
SHA1dc003969b15b965db8c967559949ffacb81f217f
SHA25604dc0975e51b05b61e068f0d1eb56e560d6d905a22bb47491d7c363e23c494e9
SHA51227bf53e4ec0d1216064ca70e01d5aa5c9751c747707dcc4986508a8a99e685a2313921ca335dc9280b8cea66977941505e55d72573e6cc9605370c159bcd25f4
-
Filesize
266B
MD5910caa6252fe4834dac25f69fcf49639
SHA1e0028daeb17f513855a04933f76a0069f7a82e1f
SHA2566910e70e87e2e1d86f5e8bb5280dd56c475d245f6473e15ed05553503768effa
SHA51218c6345cafd4245b99c7268858acc98e21e185c130cbdc4586c0797460b9f8e2cd86f14ce403f838e05dd02a12604a8c32d86d091118ca499222111476fff944
-
Filesize
78KB
MD518d8b1a44b58543ee3dfcec6de83b3be
SHA1268fd792b81fdb4e61b215a2bab7b7d6ba22e239
SHA256edfec6c8f5fd15b7e15cf3105a3ec4ded448bfcdb2c9db502ba33a8cd66e0c33
SHA512f8bc80b1f3d6e3e93adc3db0c4a3c2d115a47bc29751854134d52482ac85f24dbc7602104044494cb7b064c1216f061d6da5064cb24626f6b8f56b9a4b0bd277
-
Filesize
660B
MD570834d451f08263043e7d635aef22590
SHA1d552ca95a6432c842bfe6916a6065fdfbfe62d64
SHA256fbbcd243384f6297b4902a298bf02bf47aef1bdf58f969356da21d07509db8b7
SHA5126a31217f147c8a0f0985a2245b4424575a884f83654213aa22dae0b7348539f98de3d05c133990bb6829ab9453c70304c689419e31efd1325854c6ed6fb7c9da
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7