Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2024, 13:20

General

  • Target

    4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe

  • Size

    78KB

  • MD5

    3582cd6030e1db8dd72f768906e2f130

  • SHA1

    fb55fc2001e1264e1fb7eb75148d965e705966c6

  • SHA256

    4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25

  • SHA512

    3b38dff43364649f5d3af5d85c1f2205b947065c33621dc36d10311071822307636fca712abe1b90d7272097eda17e1bd99cf348b4a9d627edfe5158382a0bea

  • SSDEEP

    1536:XHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLu9/P1Ab:XHFoI3DJywQjDgTLopLwdCFJzLu9/Q

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
    "C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfee2g6u.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2508
    • C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp

    Filesize

    1KB

    MD5

    393eb06d5fa25b24b9e3a0b735dd6343

    SHA1

    0a8f3338205b84cbc04c4362bdc8eff86c6ab47b

    SHA256

    17a8636cb4645043383c1cb264cb328a0004a496953ca2d676e4751f33e10f86

    SHA512

    6c8cc67fd2c4ac6635003884ef6728033253ba325ae133455fa6e21589a6a4a89fea437a379794e564d6e05b56fbcf65fd7610e115de98c9b0e79dd36a5b9dfb

  • C:\Users\Admin\AppData\Local\Temp\sfee2g6u.0.vb

    Filesize

    15KB

    MD5

    d1d00b39deca1a4277374587633ee81a

    SHA1

    dc003969b15b965db8c967559949ffacb81f217f

    SHA256

    04dc0975e51b05b61e068f0d1eb56e560d6d905a22bb47491d7c363e23c494e9

    SHA512

    27bf53e4ec0d1216064ca70e01d5aa5c9751c747707dcc4986508a8a99e685a2313921ca335dc9280b8cea66977941505e55d72573e6cc9605370c159bcd25f4

  • C:\Users\Admin\AppData\Local\Temp\sfee2g6u.cmdline

    Filesize

    266B

    MD5

    910caa6252fe4834dac25f69fcf49639

    SHA1

    e0028daeb17f513855a04933f76a0069f7a82e1f

    SHA256

    6910e70e87e2e1d86f5e8bb5280dd56c475d245f6473e15ed05553503768effa

    SHA512

    18c6345cafd4245b99c7268858acc98e21e185c130cbdc4586c0797460b9f8e2cd86f14ce403f838e05dd02a12604a8c32d86d091118ca499222111476fff944

  • C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe

    Filesize

    78KB

    MD5

    18d8b1a44b58543ee3dfcec6de83b3be

    SHA1

    268fd792b81fdb4e61b215a2bab7b7d6ba22e239

    SHA256

    edfec6c8f5fd15b7e15cf3105a3ec4ded448bfcdb2c9db502ba33a8cd66e0c33

    SHA512

    f8bc80b1f3d6e3e93adc3db0c4a3c2d115a47bc29751854134d52482ac85f24dbc7602104044494cb7b064c1216f061d6da5064cb24626f6b8f56b9a4b0bd277

  • C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp

    Filesize

    660B

    MD5

    70834d451f08263043e7d635aef22590

    SHA1

    d552ca95a6432c842bfe6916a6065fdfbfe62d64

    SHA256

    fbbcd243384f6297b4902a298bf02bf47aef1bdf58f969356da21d07509db8b7

    SHA512

    6a31217f147c8a0f0985a2245b4424575a884f83654213aa22dae0b7348539f98de3d05c133990bb6829ab9453c70304c689419e31efd1325854c6ed6fb7c9da

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/1240-8-0x00000000743B0000-0x000000007495B000-memory.dmp

    Filesize

    5.7MB

  • memory/1240-18-0x00000000743B0000-0x000000007495B000-memory.dmp

    Filesize

    5.7MB

  • memory/1452-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

    Filesize

    4KB

  • memory/1452-1-0x00000000743B0000-0x000000007495B000-memory.dmp

    Filesize

    5.7MB

  • memory/1452-2-0x00000000743B0000-0x000000007495B000-memory.dmp

    Filesize

    5.7MB

  • memory/1452-24-0x00000000743B0000-0x000000007495B000-memory.dmp

    Filesize

    5.7MB