Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 09:06
Static task
static1
Behavioral task
behavioral1
Sample
4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Resource
win10v2004-20241007-en
General
-
Target
4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
-
Size
78KB
-
MD5
3682d0e08952bd54fa17a1fca835727e
-
SHA1
e3ea814f3be54232c1ca53ebca6a710de7b4708d
-
SHA256
4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919
-
SHA512
b22f55673c20afa9a52dee71469cea1d63b33627475fb18b9dca6dfb600810cec5a6bc9d6d9d45d71a4a688750732d4d1de0fd5eb69441c5f3d9e63c8a6b475a
-
SSDEEP
1536:tc58pXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96R9/41Shz:tc58ZSyRxvhTzXPvCbW2Ui9/jz
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe -
Deletes itself 1 IoCs
pid Process 684 tmpAAB7.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 684 tmpAAB7.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpAAB7.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAAB7.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe Token: SeDebugPrivilege 684 tmpAAB7.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3656 wrote to memory of 3248 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe 85 PID 3656 wrote to memory of 3248 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe 85 PID 3656 wrote to memory of 3248 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe 85 PID 3248 wrote to memory of 3992 3248 vbc.exe 87 PID 3248 wrote to memory of 3992 3248 vbc.exe 87 PID 3248 wrote to memory of 3992 3248 vbc.exe 87 PID 3656 wrote to memory of 684 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe 88 PID 3656 wrote to memory of 684 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe 88 PID 3656 wrote to memory of 684 3656 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe"C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hljobohg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C42D7413E21457DB2DC1BAA353851.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAAB7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAB7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57c7bc583f19be3fc321698332285e9bb
SHA16952ef88befdcf3f47f66581dfd346a5dd308ef7
SHA2569af61d3b51f80d31226a3aef8fe48446fcf7e06fb42e7e25b24685025547f404
SHA51286db0609d58645469aefbe1649c105f08da17ea2520a92e98918920b743afd8291ee70c619b75a1afd44d4bd058bebf777d4f6edce6bd541c36a155a879c36c0
-
Filesize
14KB
MD58b1351e590ec74dc9be4151d451e862a
SHA1c9400c9637186bbdabab2c345ff0c0d1298e9e45
SHA256488a2a4fa799e8d036d48e74c95d4d6b0b05d9afe258078724b109ff763e01ff
SHA5123134f474b6100c40d59de0a0a810f113a71f6750a907cdc7bbbdea94c7de6ea9e5de0736ed17872e36951a01a0548066bb070fd463cfab744e555058e89e6ddf
-
Filesize
266B
MD57acef9c502271231ee274cc4755b8cb7
SHA1d174e43b28ff30e1abb1e367c6619dbccafd9120
SHA2564b2c9f1b6f5694801f200f94f4b454988f7d02c5ec7e8d07711d1e27d807cd92
SHA512b3959617a212d6ce9ab3f7806102d04b5bf2dea61d4e7487733b9263a5efc77f2a58811bd950f378cdde08aa4fbbab5332800a59e7004ab93a53fad0ade1000c
-
Filesize
78KB
MD50c8a07e16dd23654149d6ab3cd8660d2
SHA177642bda801fe1ca460c4847ef2e4b734077e7b6
SHA2569996f3244e27ea8379c0fec3114c8232607c10d0e4e8ad9d687a4cd0df97581a
SHA512de566861bb477bf67b661ae995cfea570d85e33d10d3357e19ba8e044abd191503f456c9b8729122a8b54bf8de27f88f2527771a5b65aa0ccd7179efc6b3a38f
-
Filesize
660B
MD5599981c335fdd834762f687863263d97
SHA1d37628237b0e0a0e96be0df077e227ce73b4c6ef
SHA25646d98160811857cca9a3ff9800369e578efd8f7a5631edb016a9de6fb920ed63
SHA5120ff2a7af65aa8c692b74fca7080c028bd09f4ccc1b07e91ec2163f888b671dd1903174b719fb992408774c2df9f85c576e7c7f32815845af284f8e1a0c591a15
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c