Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 01:59

General

  • Target

    d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe

  • Size

    78KB

  • MD5

    837abde8fa35d366c09df5da9e5b84c3

  • SHA1

    140d6b31e98c1759d10440e9feac470ed8199de0

  • SHA256

    d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4

  • SHA512

    3053f6d2fdaee757c4fddafeccbce1e7e7a7b1300bc6fc9e76b2cb98a6eb170d5382597eae44f2330d008e8d321e4c6428f5c1e473f05bb6c6137827a4b75104

  • SSDEEP

    1536:Na4V5jSJXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6Q9/41UM:Y4V5jS5SyRxvhTzXPvCbW2UI9/o

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe
    "C:\Users\Admin\AppData\Local\Temp\d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lhvgzeec.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBEF.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2340
    • C:\Users\Admin\AppData\Local\Temp\tmpBAF6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBAF6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8e58d7f4f9e05201eab6098cbb716aa27d2a33b761b2742700275067db097c4.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESBC00.tmp

    Filesize

    1KB

    MD5

    025285bca2b45022803299e2edd00b09

    SHA1

    baca8b85797ba10a6d12bb3ec1bec86a4791cb9e

    SHA256

    e0fdb2587a74c63a4a70c5e1baba46bb654c947480712314ebbdff58ee1f4a14

    SHA512

    428541aa4b5eebc8686c61296846571627119f6063497da1c4538f52014df5b8a8abbfcdaefd35a27d885eb542598b7bb9de3a53ce4b9b125c7ff58ab3db5b34

  • C:\Users\Admin\AppData\Local\Temp\lhvgzeec.0.vb

    Filesize

    14KB

    MD5

    ca6972e7576798106a0c76d75c129de6

    SHA1

    b7e2e3c4a6d6929752e3e95c26a4948c50447e98

    SHA256

    e94125ebbbc61f4ecd87657d2126088420ce285e248f9043528ee9aaae0a1c82

    SHA512

    2415d584e841d1a2a170eeb8c5eb89220822787ea743feede6d0c92475a69022a8746d583c0efc536ae98cc8086d46bc0fb5c92a68dff59655aa26ed7da33337

  • C:\Users\Admin\AppData\Local\Temp\lhvgzeec.cmdline

    Filesize

    266B

    MD5

    34f9ea69ebfa5ad7fb02802429e0b62b

    SHA1

    04aa36031c53f028011ff195a1144decd41d113a

    SHA256

    aff82025446feb28d25b9586053382c8f88031990b54cfe78cd971a67fb2ac47

    SHA512

    17a12f930155e4395acb49a1e3d70e1d494a77a31bd43caac2f929a155500b2d3ed9897d78d1b290c31bab5400199f1e4fdc66a1eb2eb1078b38ec2ab41c456a

  • C:\Users\Admin\AppData\Local\Temp\tmpBAF6.tmp.exe

    Filesize

    78KB

    MD5

    7b8f652df82271cc971be4ffb6690df8

    SHA1

    0510f667541dd0b1639fae8b5124ac4d87ae208a

    SHA256

    3dac80407db8e2264680f34fbf7eb7a7b28adc6b33232cba59a269025625bb76

    SHA512

    ce3ceb47f7fe667dd624cc7c2fa9e1d9369217fc075381a1b5726a6d4ad40849bc5977defaac0c24536760874348b7d70a20a1d671d60686df17f925673efea8

  • C:\Users\Admin\AppData\Local\Temp\vbcBBEF.tmp

    Filesize

    660B

    MD5

    570152f998b04a4641a5c7249f6fb4ce

    SHA1

    99fa2a6828a15ade86c550e6dd47e5889d39eda6

    SHA256

    0874cc3922638d2a6d05cf0ae9f2a9cca69667eda8c0f4d9648f8ffa3c8ea11e

    SHA512

    4c809afaa5541616ba6f907c5c65641c48a10b9808a6ae2a11d4f52e535711612471e19737d8aaf35b26e180d65a3333a9276ebf50c0353a0787e101009dcc61

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1124-8-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB

  • memory/1124-18-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

    Filesize

    4KB

  • memory/2440-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-2-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-24-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB