Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2024, 08:43

General

  • Target

    f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe

  • Size

    78KB

  • MD5

    769bedaefa73efbdbb4a456f208a4250

  • SHA1

    345afffc48e5dcd99c97e6781d19bd679b033304

  • SHA256

    f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2

  • SHA512

    4e726cd3e0954ca61314f5b12105da94eefb5d130fa5e0444a2d824968e9c164aa31aba29f8083bf174f4b3b8c3e71ca5b0f49ab4f1ee72db2d7381c24ddc676

  • SSDEEP

    1536:rBWV58UAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtt60m9/E1qv:tWV58UAtWDDILJLovbicqOq3o+nE9/l

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
    "C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aq4wrkry.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES898B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc898A.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2124
    • C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES898B.tmp

    Filesize

    1KB

    MD5

    5ac8dbee14afca7d5d6e400dc5c235dd

    SHA1

    a5951a28ee1cac508b5f878c91384549c3bcac50

    SHA256

    33fc2ce426bd227ea7b26e8ef84a58dac36d02e6955a4694a7f759647f8afd81

    SHA512

    aaf876fb31aa0db8f101531162d6641e77f4365e1ecf74da1561173659d709b21d4a734ff9cfa5a22452761ed8432ec8ee1476ea8c9abde96411e14ec5cf1806

  • C:\Users\Admin\AppData\Local\Temp\aq4wrkry.0.vb

    Filesize

    14KB

    MD5

    cb0bfe1d3b74090211b8099fe06a5726

    SHA1

    4c6abbab1b809b4346124b2fcde6fd0ea5253a53

    SHA256

    54ed77c67f8f1bd8c621f281184d0f8bf69bb6976894327f45b5393e16b7d483

    SHA512

    c391b6921db618984bd4c1d3e6e7d939c0effeeafb8d78e6f59fe4eb41f8b1daa13070d6c6d802903093e1a90bc88d0260e6b58c21b403e4db57ae012a8e0800

  • C:\Users\Admin\AppData\Local\Temp\aq4wrkry.cmdline

    Filesize

    266B

    MD5

    2bc2a0a621a42de50d963de440b0b290

    SHA1

    a9b0a9815cdbd340f464c15503c67f0dca723459

    SHA256

    76499d2508c415992764a7246a98ffed27d7ce708861cfa08462fd152636ab7e

    SHA512

    467f97ec270253c2a623b5431843715f9d7e8cdff2e5c6feae00e73a895d8bbc71fd5a77253bad3b36dad19998e0398726c50eca05365130ab77e9cea5638e56

  • C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe

    Filesize

    78KB

    MD5

    91fab7a09c267960c584ec4e01239f4b

    SHA1

    18a0b2a79586997edb414b39e373a19f64dac5cc

    SHA256

    6aeca9a1a8012892b9aa9d316062020ed2ab8acb355f3bc9f583e94b8b22b05e

    SHA512

    7e878c28a2c8112361720c6f3bc3bbe1a0a9115b5697286e06c86295dec79369d63ba2c732cead3db51d5b0f9142120e95e3f55e751292f363ffa57458510295

  • C:\Users\Admin\AppData\Local\Temp\vbc898A.tmp

    Filesize

    660B

    MD5

    e196b6a1aeea3c27b98c475dc0a36340

    SHA1

    ad9407dfe089d429d99d006695f46601698c628d

    SHA256

    63de2f79e354f6a095c7c751a84ca07c2b3cec7cd0bfc82a02e1860b988702ff

    SHA512

    134e20239be84d98c34f9a3e33130db4b7de7cab87758a9ca7a4097573434c855adca65cb98f162c33703aef20095606cd5baf324fef22a1837e57c5dc68ab25

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

  • memory/2384-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2384-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2508-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

    Filesize

    4KB

  • memory/2508-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2508-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

  • memory/2508-23-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB