Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 02:26

General

  • Target

    769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe

  • Size

    78KB

  • MD5

    b149258016c2549920c92c20334de260

  • SHA1

    4b068d333356109fccc3983606a64ce0573b4aab

  • SHA256

    769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34

  • SHA512

    21a40e48b2f72243aaf1ec09b197de8f0ba2a84d98a5339d3af8165b04654c602d0a50a74e4cd5910b2feafba2d0a02a8c49cfc58f3e5723707c347aa9cb307b

  • SSDEEP

    1536:HHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQten9/G+1M9:HHYnhASyRxvhTzXPvCbW2Uen9/G

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe
    "C:\Users\Admin\AppData\Local\Temp\769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fhvmg5l0.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9BE.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Users\Admin\AppData\Local\Temp\tmpB867.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB867.tmp.exe" C:\Users\Admin\AppData\Local\Temp\769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB9BF.tmp

    Filesize

    1KB

    MD5

    d1f57176d1b9afc12220f17a4bf8dc3d

    SHA1

    9b7636a437fcdd7a30cebc1d27f2e2bec3e0d7c6

    SHA256

    bfbdd956b5a8afb19ee120f183e21120532218e88b089a5cf0f0547def4d86af

    SHA512

    6a3655163902e8f9755fd93d9a98e53acc7d0ddf5a02bd09440d16406f11ef49ce16283650f7bfcb8b123835ef391c4f90d836c9a8fea0c634f36c42f307b9f0

  • C:\Users\Admin\AppData\Local\Temp\fhvmg5l0.0.vb

    Filesize

    15KB

    MD5

    afd9773293b71a085b06ecc92f885230

    SHA1

    07330b23b79422f416524beb622ed8a66cbebf11

    SHA256

    1f75be17067d78e4d0f11b081c8f00530f22a217acf354c72ce57cea7912ed9f

    SHA512

    67af28c1e6fc261e85c3acb45a7512578788757df92bf9f43af6f6490044b21cbda32d938ec7bd379427f405f8814df0129fb9c66a4b33271eb55f75a1592e8a

  • C:\Users\Admin\AppData\Local\Temp\fhvmg5l0.cmdline

    Filesize

    266B

    MD5

    b7acf6793201d5decfb50ca83b3a164b

    SHA1

    47c9c1aaf693c07837ab56ce8ed08439be951e70

    SHA256

    11ed6728fa05c1847eaef884f7c36673cc48ad9e5b706acaee0a78d8ef190b5e

    SHA512

    8be5c5e0e6db443f592cff8a7b86e6119aa55d738bcaf3a62cd6a1e6eb366b99d64ab699baf5bf3298cc511518c67d31284c1695c2ffb78fbff7aa6c9e294996

  • C:\Users\Admin\AppData\Local\Temp\tmpB867.tmp.exe

    Filesize

    78KB

    MD5

    9dc57e3e094ce5a065573ba71a609fcf

    SHA1

    b8d6d7a8a300c78cc862151cee4d4d5063f6b5cd

    SHA256

    ca28b7db419f1023ce624fcab258417122d3d48d36432684d18f0b75448a60bd

    SHA512

    57651eb8fdd8a8451f95c1b893af984625337477896eca7e67d70225c4ef568d6ef85962b5ee3ff8a9e7307434df5c8acbdf5a250d60f77274e350e09a548af1

  • C:\Users\Admin\AppData\Local\Temp\vbcB9BE.tmp

    Filesize

    660B

    MD5

    ae9eeb882da733dcf83e73ff79edf125

    SHA1

    21db7ac698171c1c5ffaf1f16bee2e67b40d8fd3

    SHA256

    3ff93272d654343a7d46147c9807a1c3ba1cfd1a6d0d3df1b7581a3e85d237c7

    SHA512

    434dea1cc2478e4bb84c621591d69c7a53c2bd9b6139e853aa94d3506e799821762826d169a5d7328a428d54dde26c54af4bf6a822f532719671498cdf2cbbbe

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2160-0-0x0000000074371000-0x0000000074372000-memory.dmp

    Filesize

    4KB

  • memory/2160-2-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2160-1-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2160-24-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-8-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-18-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB