Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/11/2024, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
Resource
win10v2004-20241007-en
General
-
Target
f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
-
Size
78KB
-
MD5
769bedaefa73efbdbb4a456f208a4250
-
SHA1
345afffc48e5dcd99c97e6781d19bd679b033304
-
SHA256
f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2
-
SHA512
4e726cd3e0954ca61314f5b12105da94eefb5d130fa5e0444a2d824968e9c164aa31aba29f8083bf174f4b3b8c3e71ca5b0f49ab4f1ee72db2d7381c24ddc676
-
SSDEEP
1536:rBWV58UAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtt60m9/E1qv:tWV58UAtWDDILJLovbicqOq3o+nE9/l
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2092 tmp8852.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp8852.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8852.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe Token: SeDebugPrivilege 2092 tmp8852.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2384 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 30 PID 2508 wrote to memory of 2384 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 30 PID 2508 wrote to memory of 2384 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 30 PID 2508 wrote to memory of 2384 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 30 PID 2384 wrote to memory of 2124 2384 vbc.exe 32 PID 2384 wrote to memory of 2124 2384 vbc.exe 32 PID 2384 wrote to memory of 2124 2384 vbc.exe 32 PID 2384 wrote to memory of 2124 2384 vbc.exe 32 PID 2508 wrote to memory of 2092 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 33 PID 2508 wrote to memory of 2092 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 33 PID 2508 wrote to memory of 2092 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 33 PID 2508 wrote to memory of 2092 2508 f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe"C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aq4wrkry.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES898B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc898A.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55ac8dbee14afca7d5d6e400dc5c235dd
SHA1a5951a28ee1cac508b5f878c91384549c3bcac50
SHA25633fc2ce426bd227ea7b26e8ef84a58dac36d02e6955a4694a7f759647f8afd81
SHA512aaf876fb31aa0db8f101531162d6641e77f4365e1ecf74da1561173659d709b21d4a734ff9cfa5a22452761ed8432ec8ee1476ea8c9abde96411e14ec5cf1806
-
Filesize
14KB
MD5cb0bfe1d3b74090211b8099fe06a5726
SHA14c6abbab1b809b4346124b2fcde6fd0ea5253a53
SHA25654ed77c67f8f1bd8c621f281184d0f8bf69bb6976894327f45b5393e16b7d483
SHA512c391b6921db618984bd4c1d3e6e7d939c0effeeafb8d78e6f59fe4eb41f8b1daa13070d6c6d802903093e1a90bc88d0260e6b58c21b403e4db57ae012a8e0800
-
Filesize
266B
MD52bc2a0a621a42de50d963de440b0b290
SHA1a9b0a9815cdbd340f464c15503c67f0dca723459
SHA25676499d2508c415992764a7246a98ffed27d7ce708861cfa08462fd152636ab7e
SHA512467f97ec270253c2a623b5431843715f9d7e8cdff2e5c6feae00e73a895d8bbc71fd5a77253bad3b36dad19998e0398726c50eca05365130ab77e9cea5638e56
-
Filesize
78KB
MD591fab7a09c267960c584ec4e01239f4b
SHA118a0b2a79586997edb414b39e373a19f64dac5cc
SHA2566aeca9a1a8012892b9aa9d316062020ed2ab8acb355f3bc9f583e94b8b22b05e
SHA5127e878c28a2c8112361720c6f3bc3bbe1a0a9115b5697286e06c86295dec79369d63ba2c732cead3db51d5b0f9142120e95e3f55e751292f363ffa57458510295
-
Filesize
660B
MD5e196b6a1aeea3c27b98c475dc0a36340
SHA1ad9407dfe089d429d99d006695f46601698c628d
SHA25663de2f79e354f6a095c7c751a84ca07c2b3cec7cd0bfc82a02e1860b988702ff
SHA512134e20239be84d98c34f9a3e33130db4b7de7cab87758a9ca7a4097573434c855adca65cb98f162c33703aef20095606cd5baf324fef22a1837e57c5dc68ab25
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c