Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Resource
win10v2004-20241007-en
General
-
Target
965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
-
Size
78KB
-
MD5
b209d0f39e8ccfe218225108100664d1
-
SHA1
6a0896294a8d9e1442b5a7b70e1c8ef30844ff2e
-
SHA256
965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd
-
SHA512
9c52f9a7656905baf1173b59a18ab5bf9de8cf09013f2468bc99b573f24cb34eb155439be50e09d010f7286cfc3c9e58d4df781f9c146f954d2e52ca3aa3335d
-
SSDEEP
1536:NB58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Z9/IT15VP:X58WSyRxvhTzXPvCbW2U29/mP
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1996 tmp9905.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp9905.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9905.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe Token: SeDebugPrivilege 1996 tmp9905.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2444 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 30 PID 2416 wrote to memory of 2444 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 30 PID 2416 wrote to memory of 2444 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 30 PID 2416 wrote to memory of 2444 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 30 PID 2444 wrote to memory of 3000 2444 vbc.exe 32 PID 2444 wrote to memory of 3000 2444 vbc.exe 32 PID 2444 wrote to memory of 3000 2444 vbc.exe 32 PID 2444 wrote to memory of 3000 2444 vbc.exe 32 PID 2416 wrote to memory of 1996 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 33 PID 2416 wrote to memory of 1996 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 33 PID 2416 wrote to memory of 1996 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 33 PID 2416 wrote to memory of 1996 2416 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe"C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jjcoy4in.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A2D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.exe" C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6bfea2b324fa35a76f603e54059bccb
SHA123ea3296b59844db523a6d3bf0212343f8f33f62
SHA256140deea7173254c45fcf358ab6205b304a378c0a1e31f2425311dc44d3df0d1b
SHA512a202297fc82fe51c0bf308a98de17ec56eaaf657768894b48cadaf90afa0133ff9877bc7eda32016544f5a8b8fb35f2acacd9946a0811770a50db6c5f941dd3c
-
Filesize
14KB
MD579bd6fd607d9bea1fd4c3a4243de7bfd
SHA12f766c5dfda6081c448ffafab33b57b6b855f0c8
SHA2562cc85fe10eb2008bc5d8c1e82f8749d55d28ecfba7b592b57d5c35018663e2e5
SHA5128909f0dc094916a6a43a4cf3b617cba15e931132e86c688a153764a16347ab8e7ea02ed4ae82f3c7192f48cca7c07354bc2862330b18469b83d4f3f02e5a741f
-
Filesize
266B
MD597e21d6a993bd49c59a61c23d2631f2f
SHA134810a99c7b7a3c6020788e2e8fe87fcf3502c2b
SHA2568e2dec15da90ac4f16733eb9750581f42f22f93db6f0d99ea5db897d57885c6a
SHA512609c0f41c2dadcc7899b511bd1c711f634d155a476b261fd2f398c9753fab1a30b3a867745eaa4da681fcf9669138cfb9f539e4bfcf0b4dbea5d02bb26b6b137
-
Filesize
78KB
MD5959e9369bffce4b8505136b5e799631a
SHA1b793bfb99c0fb2c9f832ba9d29d7c4703931bfc5
SHA2565490f2a7e408b8b5be03bf228ff9d41ab3fb1b422e540f9233735d4f8f337ba3
SHA51218da136c3f34cd4a9ec05f48cd77e78821d88978c16eb21dd318f80334d7cd62a9df7423de21869a1c286217a6e5c0b459ba1300d0b47ea568479e64a4edeeb7
-
Filesize
660B
MD53f517ae124cf974a619a0df33f750257
SHA11e2a89d80dd3b32c009671a3d75d0df5183d7a6e
SHA256279531359ffeefcacbed32b4b6ce80336dc64ad5dbdd67826bef77ede712b984
SHA51207640358f82822141a955c09102b8bad83924c1326c02da34cd3cc4f359683ebb5861173c9707819cf31ba2efc216edd63e0505f72f42fb22adf5e671fc17805
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c