Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe
Resource
win10v2004-20241007-en
General
-
Target
8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe
-
Size
78KB
-
MD5
84dc42a761655e59101c145d75136ac0
-
SHA1
7cd31e3da685cf9dd1bbc5074e0ff29f539f4cd3
-
SHA256
8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503
-
SHA512
1c1793be6a636463061d045092b7b1fceb61c82f989e80b4877516c3fba2372efd137a28de68a3e36d7f17678af5f319681690b1443372f9b2385b5273d12f69
-
SSDEEP
1536:oPCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQto9/u1xgQ:oPCHs3xSyRxvY3md+dWWZyo9/lQ
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe -
Deletes itself 1 IoCs
pid Process 4772 tmpBE8D.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4772 tmpBE8D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpBE8D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBE8D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe Token: SeDebugPrivilege 4772 tmpBE8D.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5032 wrote to memory of 320 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe 82 PID 5032 wrote to memory of 320 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe 82 PID 5032 wrote to memory of 320 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe 82 PID 320 wrote to memory of 3288 320 vbc.exe 84 PID 320 wrote to memory of 3288 320 vbc.exe 84 PID 320 wrote to memory of 3288 320 vbc.exe 84 PID 5032 wrote to memory of 4772 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe 85 PID 5032 wrote to memory of 4772 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe 85 PID 5032 wrote to memory of 4772 5032 8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe"C:\Users\Admin\AppData\Local\Temp\8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bw1pgfm1.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1129D95802643CC9AEC8722A6D15EF8.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3288
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBE8D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE8D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8268530139ba0ef6b82f638e3e7c4902896aa8ad6ced833a688d00dbb074c503.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD599648c59626acbbecf43aee7f851181a
SHA136f9e8130aebd0990d3307b886ed08278267029d
SHA2562c49ea72bc9de65e60310fa13c2b64e9738ddd631f3bf0a0e6c63cc8aa915969
SHA512f1e853e4eea1af6aa01907a3e1f964355c2c04a47546621f5db132bd901e0eebb6c575e06d9c3a2e331e8d3fe5f0550dfc58a049cfb0a1e522536df78221dee5
-
Filesize
15KB
MD550ed5fc0a8c1cd9caf105d204e34f7a9
SHA157399493fa2e5959451cba40cfef0294a3862c33
SHA256ed132c638c795c32db40e74b848cc4abdd3351ec6c5dcdcaf46d78219c0de8ce
SHA5121a83c5e5048e4fd0ffb20c08637d336f55ce73943fe89296a89d97b8426ee266148ae39e70c077de5e802db45a44ca8a0e23c3de850544db840548813b4f79f2
-
Filesize
266B
MD59baa143af4d1a8e7a354e4abe2878ee9
SHA1fdd72fcfcfc227f274cf12b6563ed2ccc1335710
SHA2560652a92cd68c2e0f85a9e698f4ed5e7b4e014dc4db5c93bcfaf67dc37bb0c2d0
SHA512d52997b11457709aca1d9ea4cfbc039ca79ff7509fad8586f1988232caaec2fe591a6e5e54f3a942049584df8234534cd22608b75607b539ee3857de43d64f89
-
Filesize
78KB
MD50f9dc56fc76b111e3d429f92ae98cba3
SHA114643a1473f6f8ecb2902f0283a6531e2c415fee
SHA256ceef67551fd926e879743a9595203b828ee0e95738be786d11b9ef001a6cb2a6
SHA512b7e42240d5d5b73e4f60eed7a60feed953151f579ed4340df4458960780249052c6839b36d38a44f1f3c45308515ba47b293871bad5348b362a2a7c06a022333
-
Filesize
660B
MD5f044654d8ad1e243dcadfba52cb30788
SHA1d7762e41da72f93c33a54f4894562a37f262acca
SHA256a27be077336b6398c26573bffc5b278b4a7ef8adff4d73158e0a5229fb7701a2
SHA512b5c5723d8be8cbd0230e49cd6af4e85533baf133a5ee6ad93a1eceb0d97f98ad93f5ebc1b9d5c26bb8d90f3b04a48ee5e15505e342f8f7b10cb4d176d9bcea2a
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107