Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe
Resource
win10v2004-20241007-en
General
-
Target
49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe
-
Size
78KB
-
MD5
c67f959690925a70d625e554abfc98b0
-
SHA1
dc6907ae7361723bdb30c2a595a04705aaaa8216
-
SHA256
49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6
-
SHA512
4b396decb38bb184d1fe75d07187f32e3960d2b7efb2ec2fab95d3571caeeb1d580373629d3fdff85e40616916514b24d7c69498a0bb5cd151ff5a06e62a3693
-
SSDEEP
1536:/uHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteqT9/I12k:/uHa3Ln7N041QqhgeqT9/a
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 tmp802C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp802C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp802C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe Token: SeDebugPrivilege 2776 tmp802C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3700 wrote to memory of 3552 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe 82 PID 3700 wrote to memory of 3552 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe 82 PID 3700 wrote to memory of 3552 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe 82 PID 3552 wrote to memory of 3916 3552 vbc.exe 84 PID 3552 wrote to memory of 3916 3552 vbc.exe 84 PID 3552 wrote to memory of 3916 3552 vbc.exe 84 PID 3700 wrote to memory of 2776 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe 85 PID 3700 wrote to memory of 2776 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe 85 PID 3700 wrote to memory of 2776 3700 49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe"C:\Users\Admin\AppData\Local\Temp\49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fqojdqbr.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE45464BA9BE049AE9792496978E88A20.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3916
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp802C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp802C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49526e292bc356673520262072d7be0e53c134ab16db381f2c58992f081e6ae6N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD562c437912ca5f9a9206b3a2b9cdb6aa4
SHA1712567b7eba3d8904056fca80c712934127cd888
SHA256f7a292482fa91600bfa39d08e81034c046a3463121f204b9f4d49457318d4e33
SHA512c3156c5c1ea9a628b3c9d43527ebb9f2168a873f617d4bc9d0377a41bb42a3afc56e02d03982ee7a24a30cf02b15c402ddb47608a17131b8c9675a19a52744a0
-
Filesize
15KB
MD51e05468d1beee0e447a4b49b3550a06e
SHA1a519830d29f9323dfc869eb9c06e90c38d4d7f5a
SHA256ec37f17bc8f35b118235d93603703a81b83ab90bc2619501b1c6c878b07889c8
SHA512b7bdbc36a7ff672c6bc3f243011509fde3689247e406902c6302f85b95d6481925b85656d87667dc1e7b0b767a7e2a68012c5dc87681faed8e2b2440d73d5e30
-
Filesize
266B
MD558d9dfff841d9e7581d65c60e70b48c3
SHA1447f1d2f4caf5bf2b4813d175325a6f5252a38da
SHA2560200375a5f0a67db4faca3599df373d031c93ec18c766e5d9351aa44e36a1fbd
SHA512a4ba366c771596b182b548522c25b0e3b69f2d4176593d678d4dc2052367091465017da700eb96cf6102d2c9e5f92533a5b5fd244f7cd8bf871fb7947acab296
-
Filesize
78KB
MD5f5d304788674fccccfb4cdec1b148890
SHA1078eae6e7e101a7aa1ca58863cc186cef9a59331
SHA256457aa7a80f3cc5a9a099766cb152d17b865c7f239bfae17864c5acccdfb69849
SHA51242ed8f24cb3439d94f15c58d85b5aab908f78306a8bc75572ac76d32b1dc735d047a917a3460879cc6aab45b9ee087e6c6f151ef3cec27c49c6e2697772c9d84
-
Filesize
660B
MD54ee495d6d49b0ca1e237c3dde33e9e14
SHA17e39e04f9dfeb5ff420f4e354361a8614c7b3060
SHA256bff20bfca03c9ddd65440b09a13d8f6ccb7b25ce6d0203c4178be3c4de298b8c
SHA51269e01d594573251b36930075f39e3833c02ed6567250946f81ac7f47d31cb9bf7521eb3c868ecc6a4149db55498191ddbefa8985d31bee83c2155148a02e8385
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65