Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 01:59
Static task
static1
Behavioral task
behavioral1
Sample
d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe
Resource
win10v2004-20241007-en
General
-
Target
d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe
-
Size
78KB
-
MD5
837abde8fa35d366c09df5da9e5b84c3
-
SHA1
140d6b31e98c1759d10440e9feac470ed8199de0
-
SHA256
d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4
-
SHA512
3053f6d2fdaee757c4fddafeccbce1e7e7a7b1300bc6fc9e76b2cb98a6eb170d5382597eae44f2330d008e8d321e4c6428f5c1e473f05bb6c6137827a4b75104
-
SSDEEP
1536:Na4V5jSJXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6Q9/41UM:Y4V5jS5SyRxvhTzXPvCbW2UI9/o
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2808 tmpBAF6.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpBAF6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBAF6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe Token: SeDebugPrivilege 2808 tmpBAF6.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2440 wrote to memory of 1124 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 30 PID 2440 wrote to memory of 1124 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 30 PID 2440 wrote to memory of 1124 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 30 PID 2440 wrote to memory of 1124 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 30 PID 1124 wrote to memory of 2340 1124 vbc.exe 32 PID 1124 wrote to memory of 2340 1124 vbc.exe 32 PID 1124 wrote to memory of 2340 1124 vbc.exe 32 PID 1124 wrote to memory of 2340 1124 vbc.exe 32 PID 2440 wrote to memory of 2808 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 33 PID 2440 wrote to memory of 2808 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 33 PID 2440 wrote to memory of 2808 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 33 PID 2440 wrote to memory of 2808 2440 d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe"C:\Users\Admin\AppData\Local\Temp\d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lhvgzeec.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBEF.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBAF6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBAF6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5025285bca2b45022803299e2edd00b09
SHA1baca8b85797ba10a6d12bb3ec1bec86a4791cb9e
SHA256e0fdb2587a74c63a4a70c5e1baba46bb654c947480712314ebbdff58ee1f4a14
SHA512428541aa4b5eebc8686c61296846571627119f6063497da1c4538f52014df5b8a8abbfcdaefd35a27d885eb542598b7bb9de3a53ce4b9b125c7ff58ab3db5b34
-
Filesize
14KB
MD5ca6972e7576798106a0c76d75c129de6
SHA1b7e2e3c4a6d6929752e3e95c26a4948c50447e98
SHA256e94125ebbbc61f4ecd87657d2126088420ce285e248f9043528ee9aaae0a1c82
SHA5122415d584e841d1a2a170eeb8c5eb89220822787ea743feede6d0c92475a69022a8746d583c0efc536ae98cc8086d46bc0fb5c92a68dff59655aa26ed7da33337
-
Filesize
266B
MD534f9ea69ebfa5ad7fb02802429e0b62b
SHA104aa36031c53f028011ff195a1144decd41d113a
SHA256aff82025446feb28d25b9586053382c8f88031990b54cfe78cd971a67fb2ac47
SHA51217a12f930155e4395acb49a1e3d70e1d494a77a31bd43caac2f929a155500b2d3ed9897d78d1b290c31bab5400199f1e4fdc66a1eb2eb1078b38ec2ab41c456a
-
Filesize
78KB
MD57b8f652df82271cc971be4ffb6690df8
SHA10510f667541dd0b1639fae8b5124ac4d87ae208a
SHA2563dac80407db8e2264680f34fbf7eb7a7b28adc6b33232cba59a269025625bb76
SHA512ce3ceb47f7fe667dd624cc7c2fa9e1d9369217fc075381a1b5726a6d4ad40849bc5977defaac0c24536760874348b7d70a20a1d671d60686df17f925673efea8
-
Filesize
660B
MD5570152f998b04a4641a5c7249f6fb4ce
SHA199fa2a6828a15ade86c550e6dd47e5889d39eda6
SHA2560874cc3922638d2a6d05cf0ae9f2a9cca69667eda8c0f4d9648f8ffa3c8ea11e
SHA5124c809afaa5541616ba6f907c5c65641c48a10b9808a6ae2a11d4f52e535711612471e19737d8aaf35b26e180d65a3333a9276ebf50c0353a0787e101009dcc61
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c