Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
Resource
win10v2004-20241007-en
General
-
Target
89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
-
Size
78KB
-
MD5
fe728f00f45d82a7f0d5494a3e34699b
-
SHA1
44eb0c478edb1c0f1faacea0843f0481ba3a39cf
-
SHA256
89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da
-
SHA512
031d752ab87c8910c9064cb950f114fb253099e514a1d18b165f5d59e2bf8a39f798a1e1399bd086a68b1751c742510cdd0f4c7841ae67c644da16697277e008
-
SSDEEP
1536:nRWtHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLM9/R45:nRWtHFbdSE2EwR4uY41HyvYLM9/up
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe -
Executes dropped EXE 1 IoCs
pid Process 1996 tmp926C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp926C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp926C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe Token: SeDebugPrivilege 1996 tmp926C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1324 wrote to memory of 3596 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe 83 PID 1324 wrote to memory of 3596 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe 83 PID 1324 wrote to memory of 3596 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe 83 PID 3596 wrote to memory of 4848 3596 vbc.exe 85 PID 3596 wrote to memory of 4848 3596 vbc.exe 85 PID 3596 wrote to memory of 4848 3596 vbc.exe 85 PID 1324 wrote to memory of 1996 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe 86 PID 1324 wrote to memory of 1996 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe 86 PID 1324 wrote to memory of 1996 1324 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe"C:\Users\Admin\AppData\Local\Temp\89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdvowfft.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9337.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CAAA2A57BE14C40B987A144503B52E4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4848
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58d415384324a2003a0f7bd39bd9625e6
SHA1fb61e3df5ed2c1edf030b67190cc629f4b481859
SHA2566ac6b18367c1959a6b970616f1afc4b10e114c769d2179d13b3acdff74551104
SHA512f6f0e28faeef35f434b76ed11ae49063959dcbf455c17ba65c50d3fbb64bcc1802b3e15710fa86305a244c91cddcd43d02dd2abeed2ca9fc72a46bf177324c3e
-
Filesize
15KB
MD57c330942865539eb7807c5b17fd78003
SHA104f22eedb8a4fa545625a518d065aef12cf4fae8
SHA2567e3d41569909be1f3210af0565db083118c05aee006e442ea4e91c7f4b47f701
SHA512ac908c7d28fedac72793f48e852da3bd09dea117efa5a8756b8ecdb8a7aa84aeb2cf3c6312f5ffb959076c8b36c8213439eb5a1ba256dea15a98211b02d82296
-
Filesize
266B
MD58e8a1f80be29392fa59a87813e87e002
SHA1fda21b0cf40d326361c08f83a09a6374152c4fdb
SHA256e6557efe28e48dabdb9fe0786ff5b59a8c72b1d14263c8690549882275cb6c2a
SHA5121a8a084bedc477e9bee7f05e74e5e9dd9e0acb24845301cf33d86da4076f23770c3cddcd2d33143a194a3928e4ab431e7ecc6073d55141afd6b618d8f59cb7f0
-
Filesize
78KB
MD5ca76085a94fd846fcaf4c1493907bf1d
SHA1002e41ae87ff7595c4866dbc9680c1a6d9f72c42
SHA2563ad9bbad3b6686ae5d19a80ddbfde55774b0813b1647e7efc4b1bd89cb9c7032
SHA5126f337bd70911baf354c8de7accedc5c189771d94e0a1c44b41ae94e4323e6f9556a8392c71e4c81e0dca210801c2e437286c6ba1d12926e892c886ce713b2b1d
-
Filesize
660B
MD5d0aeae7d0905adf07d57d68290108405
SHA154813bc885c050dfc0e54f57754eeb7ce1f33c12
SHA25632d2d82c80bf4e940a6bcc793e4ecdcae1702fafe6e0d57657fe18e1c7135005
SHA512dc4eabf357162ddb825199c2e0ef3ea7f75ba115319bcc35cbbd819693be79867e676c9385ccf6e8dcbe5d937970d2fb1792f682f658e84425cdb7f2478585fd
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809