Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/12/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe
Resource
win10v2004-20241007-en
General
-
Target
0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe
-
Size
78KB
-
MD5
cbe97fc8b41dd3ecda90e85e50ab50f1
-
SHA1
74475a0463f49669371342eb3f519c1910b5fe3e
-
SHA256
0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db
-
SHA512
85d4fd9ea269d4b4d01064b49fcdefd93855bdf99ea683331ed656c757082e55f4a2348b7358da86b1bc420e069aaf7c422bbf0743c0fe529b92bd86d7c33820
-
SSDEEP
1536:eWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteM9/f1LR:eWtHFonhASyRxvhTzXPvCbW2UeM9/f
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2380 tmpC4A6.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC4A6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC4A6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe Token: SeDebugPrivilege 2380 tmpC4A6.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2268 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 30 PID 3008 wrote to memory of 2268 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 30 PID 3008 wrote to memory of 2268 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 30 PID 3008 wrote to memory of 2268 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 30 PID 2268 wrote to memory of 2348 2268 vbc.exe 32 PID 2268 wrote to memory of 2348 2268 vbc.exe 32 PID 2268 wrote to memory of 2348 2268 vbc.exe 32 PID 2268 wrote to memory of 2348 2268 vbc.exe 32 PID 3008 wrote to memory of 2380 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 33 PID 3008 wrote to memory of 2380 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 33 PID 3008 wrote to memory of 2380 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 33 PID 3008 wrote to memory of 2380 3008 0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe"C:\Users\Admin\AppData\Local\Temp\0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\76sosf5p.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC562.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC561.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC4A6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4A6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD517851f552a7be8842d99a32d7aba17fd
SHA150d0e448560f520069d9ff70825231996120063a
SHA2569f22801e2d58f64352d367ae04d75c3d5834ab971cf9139e1d820498880bc919
SHA512518367163f143e62ddf10ec89e35f9df4f74e7227e30487a8211b4b5f8047c97909e81aefa8e894feb5fcf6f331d3b82cb737adc4810e5d76979f8834f12fdea
-
Filesize
266B
MD5d3de0b7c97fc464483724f661c6a4341
SHA1419579428f104831ffec55652f10ed1f3ed4a18d
SHA2563723e9d27fe60f13f6d42a24fbcca1f4069bb7328b1057f7c243d087b9b05098
SHA512ebac16bcef474a5451f02c7e9d2c6c1bb875973b4782ec74479c2e083cca83715c5cff8deb430be2399f5414621fa7979d04b925c448dafb610f91b753d1904e
-
Filesize
1KB
MD520278838dad076d3c94c9ff50bd52a6c
SHA1dd52e8dc46b05540033a26e9a6fb862cc3c7b221
SHA2568c34c5fbbc7a8264e81675da5d71f54b8a36eaea47ec6eb625743a6a8a3d0620
SHA512912cc56490fa2e97512b9bb8a64e1313f8208be57ed2243c085e15739c1341c36f7fdd384ea68e508c1f5bc0f620c5ea9b615db06e2a260f055b0d37a7b3275e
-
Filesize
78KB
MD581be40e044e78032cc53ef02f7708542
SHA11afda10f8553b0584b909668819ba84aebe74d6c
SHA256d8028fc2390f457c24f19f0136e8b67bc7efb0e7594f94ecb47acd397902eb25
SHA5128f8c983eba2034563d5dc9e93bf86de3262c0bcc1118df9d8b448006d2fdfbdd9905de115358386c67e68ba07490c41830641cfa6d4bfc4a3d328ceaf4e6a38c
-
Filesize
660B
MD5ffad0a0da0602eb79222c376856fe41c
SHA1b888b6f058ac2b3adb0c020fde8957e3f7cee03f
SHA2564a1408546fb7da52d0a3acd98f7097222cfab6f1bee71cac9de27901b770484d
SHA5127a16ebfef19f47e929ee27fda3dab2eaea6cc59fa99a555d90ad60ccbea3d09634da91e79579603db711c53a42ae4cc05dff94f578c0c153835b2719620fa679
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c