Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4827e34eea...9a.exe

windows7-x64

10

4827e34eea...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2024, 02:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe

  • Size

    78KB

  • MD5

    01658283871862263343db8c80526e20

  • SHA1

    7304d9cf47d70ccd9a54892e53205ce8ed86d33e

  • SHA256

    4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a

  • SHA512

    3b62bd87ffd3910484728d3e21f2c7d759b823b0575ff9773ab33010581617e38646d3ce1733d4f7be80a26d7c72483720e86961803431364ad97a53f2693e66

  • SSDEEP

    1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+A:UPy5jS6l0Y9MDYrm7f9/qXA

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_vh32jnc.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4A4.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2432
    • C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2744

Network

  • flag-us
    DNS
    bejnz.com
    tmpE32E.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    bejnz.com
    IN A
    Response
    bejnz.com
    IN A
    44.221.84.105
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:39 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=79d969125ee3b6cb6e16da9dcb566383|181.215.176.83|1733539179|1733539179|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:41 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=bfea76d345cdad2d64dee9807d379cdd|181.215.176.83|1733539181|1733539181|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:44 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=252d90b33363cabc01adf1b3d7378d79|181.215.176.83|1733539184|1733539184|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:46 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=4a6e467191ab82902567903dd32500ba|181.215.176.83|1733539186|1733539186|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:48 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=68494740762ad708a51d3f63dab56d0e|181.215.176.83|1733539188|1733539188|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:50 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=fe6dc9d373582607176c4bb0926e4329|181.215.176.83|1733539190|1733539190|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:53 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=5c201ec851de9a91022fc235ceefa1f5|181.215.176.83|1733539193|1733539193|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:55 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=0cedaee14e48e99ad3b9dd579f72f62e|181.215.176.83|1733539195|1733539195|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:57 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=f64c1c4e7ca3a2b67f2a408ad2586db3|181.215.176.83|1733539197|1733539197|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:40:00 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=3254dada84ac5eb74f7c42d061724757|181.215.176.83|1733539200|1733539200|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpE32E.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    295 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    317 B
     625 B
     6
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    317 B
     625 B
     6
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    317 B
     625 B
     6
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpE32E.tmp.exe
    1.0kB
     260 B
     15
    5

    HTTP Request

    GET http://bejnz.com/IP.php
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmpE32E.tmp.exe
    296 B
     6
  • 127.0.0.1:127
    tmpE32E.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmpE32E.tmp.exe
    152 B
     3
  • 8.8.8.8:53
    bejnz.com
    dns
    tmpE32E.tmp.exe
    55 B
     71 B
     1
    1

    DNS Request

    bejnz.com

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE4A5.tmp
    Filesize

    1KB

    MD5

    518c8081596dee1069239969e39cc012

    SHA1

    8e612bbabdf1932e712a5b84e6d64cb98c937e0d

    SHA256

    b7e1b87f347dce2d04488f895fc8091b9b9caac8defcbcbfb25b8687499e890b

    SHA512

    3e04419d18b97c1457c0b42567a34f5efb97c4e69295614b6a48bf3ea6c9f4aa8e43c25544d568b49b676ea5444e055772554681746acb18a3c5abbdf5e5302a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vh32jnc.0.vb
    Filesize

    14KB

    MD5

    ce85b0cbc99cf52fcc19c2586effcfd6

    SHA1

    778c5b13aa7e887a8c9476a0c1a8f7e439416f32

    SHA256

    056f73160bb6b6077374248b78faedf5040555507330d9822ede52a134c98277

    SHA512

    ee8da67732396d45e58362a30d01ba3527eea3d7facc9d30c0f6792ab0920a014b813612105ae370b13cbca13c9a8250a6653c8ab3a4f2761812123b5b8fb3ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vh32jnc.cmdline
    Filesize

    266B

    MD5

    0abc3536f26e1127943691e431b41c9a

    SHA1

    a8efa6ead7b5c693774c4c8ea5f930c3213a75f0

    SHA256

    4affe920cb651929d4f3ef1f64ded4c3a7fc2e9377c3c57f72d053d79cbfcb5e

    SHA512

    0c5af9c619db791fdbefcd4388a3bc026f2f77dee857950230d1946dcad095242ca741ccc1235cac8e4a736bce13b4778cdbffd66ab246786ea1cbcd3a917030

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
    Filesize

    78KB

    MD5

    9d5dfed8a5552ec7d4de806755190e16

    SHA1

    cb4c6f4a5db7b486f6833943d6c9d83841e4a3b1

    SHA256

    565ac8cac776d2f9932053d4d0133c5e748b38d5a056b8026a1ea1544bdfd2d4

    SHA512

    e6eb9f3195bface9921ca0c7d29a9ae204633269429e9808c2d671814545d747477d1f3804ce68c6844d4e3194f50f17d42f06b354297c9f64a5915cba9666c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcE4A4.tmp
    Filesize

    660B

    MD5

    dae8d8006a08569babc234e11b5d1e59

    SHA1

    371b9330d1bc03d87fde522b4c73e60aabe2d9fd

    SHA256

    2c02bef5904c77941c2b155bf495a96d4abcd6262b1f607fc3cda8aff188e145

    SHA512

    4da10fffb31448ddc3fbdedc5236571271b7eabee10d2504244efd9860867d6a64bb3bae0fe3a2fe048617fe24f666973f0136fd879c023bf69142a07b0a3a18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

    Download Submit

  • memory/1720-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-1-0x0000000074D90000-0x000000007533B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1720-2-0x0000000074D90000-0x000000007533B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1720-24-0x0000000074D90000-0x000000007533B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2288-8-0x0000000074D90000-0x000000007533B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2288-18-0x0000000074D90000-0x000000007533B000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.