Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
Resource
win10v2004-20241007-en
General
-
Target
1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
-
Size
78KB
-
MD5
1febe87029e171a05962959110aedf67
-
SHA1
402257db7a85b52cbd447e31e40fe84c57783194
-
SHA256
1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858
-
SHA512
909f46b2acdcb9d27bdeea1d03e370dbf8ec9df606b4825dc367fd67380aeb4c67b395d159bc3329e3b9e929e422081a3ec02d0983b74eb3bced811d9a039068
-
SSDEEP
1536:IvWV5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6U9/T011hN:+WV5jEJywQjDgTLopLwdCFJzL9/6N
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe -
Executes dropped EXE 1 IoCs
pid Process 1356 tmp8EC3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8EC3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2252 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe 83 PID 2336 wrote to memory of 2252 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe 83 PID 2336 wrote to memory of 2252 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe 83 PID 2252 wrote to memory of 4752 2252 vbc.exe 85 PID 2252 wrote to memory of 4752 2252 vbc.exe 85 PID 2252 wrote to memory of 4752 2252 vbc.exe 85 PID 2336 wrote to memory of 1356 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe 86 PID 2336 wrote to memory of 1356 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe 86 PID 2336 wrote to memory of 1356 2336 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe"C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z8ehkxud.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE13D857F2BAB477FBB1FD56E69EE777.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4752
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8EC3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8EC3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5887f0b679009a470321a54781c1963c0
SHA134b626ca25b610b0cf0a07bd45386aef20dd66b7
SHA256d4dfa6ae7c2ff858009bf76e740b6fe3c7224fe52299e9788b47f45dfefb8400
SHA512e475bb6375e0001e0101fe9ffe592cf363d9322ebcac9a75bc66c17b673c6e22d0e2e93386581817c4de57458586e8f35c4a365748331d365cd25a3ea6bd58db
-
Filesize
78KB
MD535228717dc30a9ef6ecee32fda6c752e
SHA16b289e6313741e5950639ffa14e68620f46a3d9b
SHA256bf57c5cc5865a74482097f4dee1b37efafd6e8bcd80706ea1441e743539ff268
SHA5121b5b6508f2894d28abe0ff51d31f6d4b3019aa397f0f92d50e279ee3bce0471946d13a767e96745cac5e3fc315d575546b7ad417719d6193f24d03ed80755bb2
-
Filesize
660B
MD5ec89d7cc3f55dabeba7b0cd14ff6589a
SHA14805e3680c82637f86e038cbab37b9a232fc3024
SHA256ff52964696b5909aad8791212e40cb8ac43a35955b9f5ef690580a8d2de53c03
SHA5121cd075ff857f13fba1752a59f7c68a2fd3bc52dcdb3e3a28259396bb946ce915829f10fdfeec20dbd422630301e774018603aa1458eb54dbc0be5a924dba302f
-
Filesize
14KB
MD50291f6e7a7fcfd855486634f87419401
SHA1031d79075bb957978d87827277c5011acce73231
SHA25686c156c4ec701b8b23d1a6f10691aaf251057751431d4c7526329f0ff45d4eeb
SHA5126d85064c9f3a28ff1765f0870d589fe40fefc39622e8a3326ce36a6879e9c98a05662f96c201dfb0ea422764e51fd955123efe5236a9a558f360da248011af42
-
Filesize
266B
MD58b1d4614de8e58634fc97ef3a9b2b3b5
SHA10a8a894545c7240bf1cc32702b082cb516b59bdc
SHA2567d63b9756c18c33eab93f9e002e3971023afee7cbf253cd174e3978a8b79d98a
SHA512bc16015d7901aff883c3f8e2df9e6b0eea30274bd357d7f73d241bd19bd234601db7b84b6232cb2b2bc82b06f3905d8483cdb8b6bfd3141d009deb9010cba574
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7