Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/12/2024, 19:31

General

  • Target

    0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe

  • Size

    78KB

  • MD5

    cbe97fc8b41dd3ecda90e85e50ab50f1

  • SHA1

    74475a0463f49669371342eb3f519c1910b5fe3e

  • SHA256

    0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db

  • SHA512

    85d4fd9ea269d4b4d01064b49fcdefd93855bdf99ea683331ed656c757082e55f4a2348b7358da86b1bc420e069aaf7c422bbf0743c0fe529b92bd86d7c33820

  • SSDEEP

    1536:eWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteM9/f1LR:eWtHFonhASyRxvhTzXPvCbW2UeM9/f

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe
    "C:\Users\Admin\AppData\Local\Temp\0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\76sosf5p.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC562.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC561.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2348
    • C:\Users\Admin\AppData\Local\Temp\tmpC4A6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC4A6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0905ff803421f08a1335498881470ad6a1ea1447bb7afc1bf218ce82b87128db.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\76sosf5p.0.vb

    Filesize

    15KB

    MD5

    17851f552a7be8842d99a32d7aba17fd

    SHA1

    50d0e448560f520069d9ff70825231996120063a

    SHA256

    9f22801e2d58f64352d367ae04d75c3d5834ab971cf9139e1d820498880bc919

    SHA512

    518367163f143e62ddf10ec89e35f9df4f74e7227e30487a8211b4b5f8047c97909e81aefa8e894feb5fcf6f331d3b82cb737adc4810e5d76979f8834f12fdea

  • C:\Users\Admin\AppData\Local\Temp\76sosf5p.cmdline

    Filesize

    266B

    MD5

    d3de0b7c97fc464483724f661c6a4341

    SHA1

    419579428f104831ffec55652f10ed1f3ed4a18d

    SHA256

    3723e9d27fe60f13f6d42a24fbcca1f4069bb7328b1057f7c243d087b9b05098

    SHA512

    ebac16bcef474a5451f02c7e9d2c6c1bb875973b4782ec74479c2e083cca83715c5cff8deb430be2399f5414621fa7979d04b925c448dafb610f91b753d1904e

  • C:\Users\Admin\AppData\Local\Temp\RESC562.tmp

    Filesize

    1KB

    MD5

    20278838dad076d3c94c9ff50bd52a6c

    SHA1

    dd52e8dc46b05540033a26e9a6fb862cc3c7b221

    SHA256

    8c34c5fbbc7a8264e81675da5d71f54b8a36eaea47ec6eb625743a6a8a3d0620

    SHA512

    912cc56490fa2e97512b9bb8a64e1313f8208be57ed2243c085e15739c1341c36f7fdd384ea68e508c1f5bc0f620c5ea9b615db06e2a260f055b0d37a7b3275e

  • C:\Users\Admin\AppData\Local\Temp\tmpC4A6.tmp.exe

    Filesize

    78KB

    MD5

    81be40e044e78032cc53ef02f7708542

    SHA1

    1afda10f8553b0584b909668819ba84aebe74d6c

    SHA256

    d8028fc2390f457c24f19f0136e8b67bc7efb0e7594f94ecb47acd397902eb25

    SHA512

    8f8c983eba2034563d5dc9e93bf86de3262c0bcc1118df9d8b448006d2fdfbdd9905de115358386c67e68ba07490c41830641cfa6d4bfc4a3d328ceaf4e6a38c

  • C:\Users\Admin\AppData\Local\Temp\vbcC561.tmp

    Filesize

    660B

    MD5

    ffad0a0da0602eb79222c376856fe41c

    SHA1

    b888b6f058ac2b3adb0c020fde8957e3f7cee03f

    SHA256

    4a1408546fb7da52d0a3acd98f7097222cfab6f1bee71cac9de27901b770484d

    SHA512

    7a16ebfef19f47e929ee27fda3dab2eaea6cc59fa99a555d90ad60ccbea3d09634da91e79579603db711c53a42ae4cc05dff94f578c0c153835b2719620fa679

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2268-8-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2268-18-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/3008-0-0x0000000074541000-0x0000000074542000-memory.dmp

    Filesize

    4KB

  • memory/3008-1-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/3008-2-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/3008-24-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB