Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 01:25
Static task
static1
Behavioral task
behavioral1
Sample
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Resource
win10v2004-20241007-en
General
-
Target
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
-
Size
78KB
-
MD5
2d1040cbb7d90db8d32d9e9d98cfe41c
-
SHA1
b20f3369032316407495a6e6a032033549417a48
-
SHA256
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586
-
SHA512
29326b444beef438e5923e5c4750e14f71112a43340d340c74bec258e29ce598e4dc20cf93c5a2b893bad940b645e8221df7f9557267013c9e383ac9a68caa90
-
SSDEEP
1536:VVe55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6TS9/D14qU:3e55AtWDDILJLovbicqOq3o+nh9/5U
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2832 tmpA43B.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpA43B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA43B.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe Token: SeDebugPrivilege 2832 tmpA43B.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1948 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 30 PID 1980 wrote to memory of 1948 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 30 PID 1980 wrote to memory of 1948 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 30 PID 1980 wrote to memory of 1948 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 30 PID 1948 wrote to memory of 2140 1948 vbc.exe 32 PID 1948 wrote to memory of 2140 1948 vbc.exe 32 PID 1948 wrote to memory of 2140 1948 vbc.exe 32 PID 1948 wrote to memory of 2140 1948 vbc.exe 32 PID 1980 wrote to memory of 2832 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 33 PID 1980 wrote to memory of 2832 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 33 PID 1980 wrote to memory of 2832 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 33 PID 1980 wrote to memory of 2832 1980 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe"C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA545.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA544.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5679c42e2a5f3e95564849a73f0685f99
SHA1f715663aa659d139fe7621d082472d25a1fa2ffc
SHA256759db95068bb63f94dd1083d709776339c616b5fb770f63e7ab3b762e932abfb
SHA5122753b3beb06586851ea4e50c3d1348480ab3a820daacbd947757da8f1289d9497dafd5f8fd91824a4a20ed5e5e33a8953bdb5a6fa7131281411b80eb211f261a
-
Filesize
78KB
MD5535d9989533b0a2409d5d4fbd68d6359
SHA182f95f1ded2513896bfa0519561f470ca6a51e5e
SHA256dffde40cbbebfbc3baf8a130b44cfffa25b358098e4d4bbe3a81d53469b90813
SHA5129819df99758b4df90667f6d322eeaff46c228dd7c0f37150c452b27be2c88ada49f45a1ad560a90b8821f59614090b68a5d952c5874971d2719f16bad826ff61
-
Filesize
660B
MD5bea5262bdb89ce5558dd9de7879ad900
SHA1d90b8e48936d0dc9d6f5fa3aa75fc441434d93b4
SHA256883e3f20912adf5d050ceebf4b9ff2a6afee5b45aac708677e32e0ca59585ec2
SHA5123d215bf31ce07cf10bc1deaae7e04204e322fe352a795d8542b4c87578591e6d2a33e050de459021c6dfbcf929a321c7093fcc5d98dfa054b7353515f55de21e
-
Filesize
14KB
MD5b202d98ec6728d4efae3268b06229276
SHA1f76f265440ae37c60f96e469c0360506acd0e0c6
SHA25613120c9ba85c8ba5a65c382c53e5189005aee26349d4da0de49039c62b60d5e6
SHA512b650b5cb044e60e5fb6cd17a174cc38358dc437a8e6eb6cefcae785b9ca446239fc28158c5bfa8aece42d1bdf9a5597c7cf394727017073d752e8f5ce92514c4
-
Filesize
266B
MD591e5b7c465d9d6d522cc40b62ac4aa07
SHA13a3c6feac97e181c49d994638bb671013e3c3889
SHA256d838edd83f0c3855f03080a775f26a51006683e1fccc46fc4005877fc404d092
SHA512080ab951654312bc7c1c397260d0a4fb0660dbb7a8afed001bb75d048118461fe37e45340de217e57ed540b725a0105103013b5eba5c2ec9bb6b9a9841e55003
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c