Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe
Resource
win10v2004-20241007-en
General
-
Target
b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe
-
Size
78KB
-
MD5
1ca379954e88873978f8fee898004950
-
SHA1
d1454ee16e5aa95d6a49a47be33cb34786c5f512
-
SHA256
b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10
-
SHA512
5c2a0a0630c3bbb063b524a3b470faec2dc4ccc6da52edfe34767e544a5c43054dbf457590af3db0ca70e1d2ad45dba5c239d83fcfba3dfcf9baa2c947efcc95
-
SSDEEP
1536:ye585XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6et9/YCw1tI:ye58pSyRxvhTzXPvCbW2Ui9/YCX
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe -
Deletes itself 1 IoCs
pid Process 1696 tmp83D6.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1696 tmp83D6.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp83D6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp83D6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe Token: SeDebugPrivilege 1696 tmp83D6.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1200 wrote to memory of 3476 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe 83 PID 1200 wrote to memory of 3476 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe 83 PID 1200 wrote to memory of 3476 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe 83 PID 3476 wrote to memory of 1788 3476 vbc.exe 85 PID 3476 wrote to memory of 1788 3476 vbc.exe 85 PID 3476 wrote to memory of 1788 3476 vbc.exe 85 PID 1200 wrote to memory of 1696 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe 86 PID 1200 wrote to memory of 1696 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe 86 PID 1200 wrote to memory of 1696 1200 b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe"C:\Users\Admin\AppData\Local\Temp\b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0eyht5is.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES859B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC399C0FCC40434C94D68E6B7F899AC8.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3c3faee150257c3dfaaaf9133f2607b67e46000ee44ff624e7c60ef806e5e10N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD51de09fba9b47fecfd9710900858e0845
SHA16f4fa0d3fbb4e0166e174dcb9db394968b22734f
SHA256e99f3745809ef58c4fd7db512c94474c982d9de19310f0ea2b5fd9d8e2992de1
SHA51292df294bceac9f01036729c6a44350c1dd1180db550e8e46305ea57acf78fa514d795ccef28bfac925eff87ddae90f0e2cd9c593db9d08c9d951b2053506d8f8
-
Filesize
266B
MD57f2663a7df88209ce19e5bc662236912
SHA1ee4724a9c65120181150e790f1c9c10a40e468eb
SHA256390d5eac38ac1f67a126d68c02e1eff9a9c2dc32bcb6da38456d695df90fe08c
SHA512c45a7705009eaab540a34b9f012d716c22030f3b4121dc7c41fd3c633884e4e582a10db1aae79b9599f518027306bf12b91a80be126bb224b5ee3116c2704d14
-
Filesize
1KB
MD52644e284693b0140378fad1d62d51a99
SHA1aac034a6576a621f040ae275387c2eb3ad808c9d
SHA256dbaa06b1d85016850a63e07f39e4baaf515ba68f6cee6b8adad67cd1e00b7331
SHA51275a35b814683e5f6e3683fd34be1c509f386fbac6afe0576f41eb9f4a4769eec2272d9022e1acfbf6bb87316be93340d93c53077be563f91689a5896245727fd
-
Filesize
78KB
MD5a8be516e188a7bdd3b325c9cfcfd0a30
SHA196879dfaac56a7f1d574bd06f821c56bd18b3dd4
SHA2568595192b1e36cc523ebdb0cef8642927040bdde60673948265704796e3fcef18
SHA51281861eae01665adc31178a618d00d09e4e5cd8a494080b45d64b6e062c73cce32fe2042bceb4c02d3420723957bd34a64f8798980d8e05eb4626bc13270fca3f
-
Filesize
660B
MD5e2f14df390b49941224d9239028dde8b
SHA15d2d2581a7d5fc0cc276b67ac1fbe6c3c8c20e17
SHA256ffc44bcd0231c50eb0f93666abe330c1f77a8689cc3637a63d30fe631efb9477
SHA5128c19c2a170a4178d73e6080d72fd2a6a94c63f95786284fd43fb7f3033cc27021d543e47253a18d491fa5b1c00014fca3c4273e88a09909e32026a595bd7bfca
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c