Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe
Resource
win10v2004-20241007-en
General
-
Target
769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe
-
Size
78KB
-
MD5
b149258016c2549920c92c20334de260
-
SHA1
4b068d333356109fccc3983606a64ce0573b4aab
-
SHA256
769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34
-
SHA512
21a40e48b2f72243aaf1ec09b197de8f0ba2a84d98a5339d3af8165b04654c602d0a50a74e4cd5910b2feafba2d0a02a8c49cfc58f3e5723707c347aa9cb307b
-
SSDEEP
1536:HHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQten9/G+1M9:HHYnhASyRxvhTzXPvCbW2Uen9/G
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2768 tmpB867.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpB867.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB867.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe Token: SeDebugPrivilege 2768 tmpB867.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2260 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 30 PID 2160 wrote to memory of 2260 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 30 PID 2160 wrote to memory of 2260 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 30 PID 2160 wrote to memory of 2260 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 30 PID 2260 wrote to memory of 2804 2260 vbc.exe 32 PID 2260 wrote to memory of 2804 2260 vbc.exe 32 PID 2260 wrote to memory of 2804 2260 vbc.exe 32 PID 2260 wrote to memory of 2804 2260 vbc.exe 32 PID 2160 wrote to memory of 2768 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 33 PID 2160 wrote to memory of 2768 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 33 PID 2160 wrote to memory of 2768 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 33 PID 2160 wrote to memory of 2768 2160 769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe"C:\Users\Admin\AppData\Local\Temp\769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fhvmg5l0.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9BE.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB867.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB867.tmp.exe" C:\Users\Admin\AppData\Local\Temp\769b265dfa9860b3a3dba07ddf9a450ca2dfe4a25d62bf5d5d3ec0c4d1ce4b34N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d1f57176d1b9afc12220f17a4bf8dc3d
SHA19b7636a437fcdd7a30cebc1d27f2e2bec3e0d7c6
SHA256bfbdd956b5a8afb19ee120f183e21120532218e88b089a5cf0f0547def4d86af
SHA5126a3655163902e8f9755fd93d9a98e53acc7d0ddf5a02bd09440d16406f11ef49ce16283650f7bfcb8b123835ef391c4f90d836c9a8fea0c634f36c42f307b9f0
-
Filesize
15KB
MD5afd9773293b71a085b06ecc92f885230
SHA107330b23b79422f416524beb622ed8a66cbebf11
SHA2561f75be17067d78e4d0f11b081c8f00530f22a217acf354c72ce57cea7912ed9f
SHA51267af28c1e6fc261e85c3acb45a7512578788757df92bf9f43af6f6490044b21cbda32d938ec7bd379427f405f8814df0129fb9c66a4b33271eb55f75a1592e8a
-
Filesize
266B
MD5b7acf6793201d5decfb50ca83b3a164b
SHA147c9c1aaf693c07837ab56ce8ed08439be951e70
SHA25611ed6728fa05c1847eaef884f7c36673cc48ad9e5b706acaee0a78d8ef190b5e
SHA5128be5c5e0e6db443f592cff8a7b86e6119aa55d738bcaf3a62cd6a1e6eb366b99d64ab699baf5bf3298cc511518c67d31284c1695c2ffb78fbff7aa6c9e294996
-
Filesize
78KB
MD59dc57e3e094ce5a065573ba71a609fcf
SHA1b8d6d7a8a300c78cc862151cee4d4d5063f6b5cd
SHA256ca28b7db419f1023ce624fcab258417122d3d48d36432684d18f0b75448a60bd
SHA51257651eb8fdd8a8451f95c1b893af984625337477896eca7e67d70225c4ef568d6ef85962b5ee3ff8a9e7307434df5c8acbdf5a250d60f77274e350e09a548af1
-
Filesize
660B
MD5ae9eeb882da733dcf83e73ff79edf125
SHA121db7ac698171c1c5ffaf1f16bee2e67b40d8fd3
SHA2563ff93272d654343a7d46147c9807a1c3ba1cfd1a6d0d3df1b7581a3e85d237c7
SHA512434dea1cc2478e4bb84c621591d69c7a53c2bd9b6139e853aa94d3506e799821762826d169a5d7328a428d54dde26c54af4bf6a822f532719671498cdf2cbbbe
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c