Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 01:25

General

  • Target

    6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe

  • Size

    78KB

  • MD5

    2d1040cbb7d90db8d32d9e9d98cfe41c

  • SHA1

    b20f3369032316407495a6e6a032033549417a48

  • SHA256

    6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586

  • SHA512

    29326b444beef438e5923e5c4750e14f71112a43340d340c74bec258e29ce598e4dc20cf93c5a2b893bad940b645e8221df7f9557267013c9e383ac9a68caa90

  • SSDEEP

    1536:VVe55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6TS9/D14qU:3e55AtWDDILJLovbicqOq3o+nh9/5U

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
    "C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA545.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA544.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2140
    • C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA545.tmp

    Filesize

    1KB

    MD5

    679c42e2a5f3e95564849a73f0685f99

    SHA1

    f715663aa659d139fe7621d082472d25a1fa2ffc

    SHA256

    759db95068bb63f94dd1083d709776339c616b5fb770f63e7ab3b762e932abfb

    SHA512

    2753b3beb06586851ea4e50c3d1348480ab3a820daacbd947757da8f1289d9497dafd5f8fd91824a4a20ed5e5e33a8953bdb5a6fa7131281411b80eb211f261a

  • C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe

    Filesize

    78KB

    MD5

    535d9989533b0a2409d5d4fbd68d6359

    SHA1

    82f95f1ded2513896bfa0519561f470ca6a51e5e

    SHA256

    dffde40cbbebfbc3baf8a130b44cfffa25b358098e4d4bbe3a81d53469b90813

    SHA512

    9819df99758b4df90667f6d322eeaff46c228dd7c0f37150c452b27be2c88ada49f45a1ad560a90b8821f59614090b68a5d952c5874971d2719f16bad826ff61

  • C:\Users\Admin\AppData\Local\Temp\vbcA544.tmp

    Filesize

    660B

    MD5

    bea5262bdb89ce5558dd9de7879ad900

    SHA1

    d90b8e48936d0dc9d6f5fa3aa75fc441434d93b4

    SHA256

    883e3f20912adf5d050ceebf4b9ff2a6afee5b45aac708677e32e0ca59585ec2

    SHA512

    3d215bf31ce07cf10bc1deaae7e04204e322fe352a795d8542b4c87578591e6d2a33e050de459021c6dfbcf929a321c7093fcc5d98dfa054b7353515f55de21e

  • C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.0.vb

    Filesize

    14KB

    MD5

    b202d98ec6728d4efae3268b06229276

    SHA1

    f76f265440ae37c60f96e469c0360506acd0e0c6

    SHA256

    13120c9ba85c8ba5a65c382c53e5189005aee26349d4da0de49039c62b60d5e6

    SHA512

    b650b5cb044e60e5fb6cd17a174cc38358dc437a8e6eb6cefcae785b9ca446239fc28158c5bfa8aece42d1bdf9a5597c7cf394727017073d752e8f5ce92514c4

  • C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.cmdline

    Filesize

    266B

    MD5

    91e5b7c465d9d6d522cc40b62ac4aa07

    SHA1

    3a3c6feac97e181c49d994638bb671013e3c3889

    SHA256

    d838edd83f0c3855f03080a775f26a51006683e1fccc46fc4005877fc404d092

    SHA512

    080ab951654312bc7c1c397260d0a4fb0660dbb7a8afed001bb75d048118461fe37e45340de217e57ed540b725a0105103013b5eba5c2ec9bb6b9a9841e55003

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

  • memory/1948-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/1948-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/1980-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

    Filesize

    4KB

  • memory/1980-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/1980-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/1980-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB