Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 01:36

General

  • Target

    965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe

  • Size

    78KB

  • MD5

    b209d0f39e8ccfe218225108100664d1

  • SHA1

    6a0896294a8d9e1442b5a7b70e1c8ef30844ff2e

  • SHA256

    965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd

  • SHA512

    9c52f9a7656905baf1173b59a18ab5bf9de8cf09013f2468bc99b573f24cb34eb155439be50e09d010f7286cfc3c9e58d4df781f9c146f954d2e52ca3aa3335d

  • SSDEEP

    1536:NB58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Z9/IT15VP:X58WSyRxvhTzXPvCbW2U29/mP

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
    "C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jjcoy4in.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A2D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3000
    • C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.exe" C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9A2E.tmp

    Filesize

    1KB

    MD5

    b6bfea2b324fa35a76f603e54059bccb

    SHA1

    23ea3296b59844db523a6d3bf0212343f8f33f62

    SHA256

    140deea7173254c45fcf358ab6205b304a378c0a1e31f2425311dc44d3df0d1b

    SHA512

    a202297fc82fe51c0bf308a98de17ec56eaaf657768894b48cadaf90afa0133ff9877bc7eda32016544f5a8b8fb35f2acacd9946a0811770a50db6c5f941dd3c

  • C:\Users\Admin\AppData\Local\Temp\jjcoy4in.0.vb

    Filesize

    14KB

    MD5

    79bd6fd607d9bea1fd4c3a4243de7bfd

    SHA1

    2f766c5dfda6081c448ffafab33b57b6b855f0c8

    SHA256

    2cc85fe10eb2008bc5d8c1e82f8749d55d28ecfba7b592b57d5c35018663e2e5

    SHA512

    8909f0dc094916a6a43a4cf3b617cba15e931132e86c688a153764a16347ab8e7ea02ed4ae82f3c7192f48cca7c07354bc2862330b18469b83d4f3f02e5a741f

  • C:\Users\Admin\AppData\Local\Temp\jjcoy4in.cmdline

    Filesize

    266B

    MD5

    97e21d6a993bd49c59a61c23d2631f2f

    SHA1

    34810a99c7b7a3c6020788e2e8fe87fcf3502c2b

    SHA256

    8e2dec15da90ac4f16733eb9750581f42f22f93db6f0d99ea5db897d57885c6a

    SHA512

    609c0f41c2dadcc7899b511bd1c711f634d155a476b261fd2f398c9753fab1a30b3a867745eaa4da681fcf9669138cfb9f539e4bfcf0b4dbea5d02bb26b6b137

  • C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.exe

    Filesize

    78KB

    MD5

    959e9369bffce4b8505136b5e799631a

    SHA1

    b793bfb99c0fb2c9f832ba9d29d7c4703931bfc5

    SHA256

    5490f2a7e408b8b5be03bf228ff9d41ab3fb1b422e540f9233735d4f8f337ba3

    SHA512

    18da136c3f34cd4a9ec05f48cd77e78821d88978c16eb21dd318f80334d7cd62a9df7423de21869a1c286217a6e5c0b459ba1300d0b47ea568479e64a4edeeb7

  • C:\Users\Admin\AppData\Local\Temp\vbc9A2D.tmp

    Filesize

    660B

    MD5

    3f517ae124cf974a619a0df33f750257

    SHA1

    1e2a89d80dd3b32c009671a3d75d0df5183d7a6e

    SHA256

    279531359ffeefcacbed32b4b6ce80336dc64ad5dbdd67826bef77ede712b984

    SHA512

    07640358f82822141a955c09102b8bad83924c1326c02da34cd3cc4f359683ebb5861173c9707819cf31ba2efc216edd63e0505f72f42fb22adf5e671fc17805

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2416-0-0x0000000074AD1000-0x0000000074AD2000-memory.dmp

    Filesize

    4KB

  • memory/2416-1-0x0000000074AD0000-0x000000007507B000-memory.dmp

    Filesize

    5.7MB

  • memory/2416-2-0x0000000074AD0000-0x000000007507B000-memory.dmp

    Filesize

    5.7MB

  • memory/2416-24-0x0000000074AD0000-0x000000007507B000-memory.dmp

    Filesize

    5.7MB

  • memory/2444-8-0x0000000074AD0000-0x000000007507B000-memory.dmp

    Filesize

    5.7MB

  • memory/2444-18-0x0000000074AD0000-0x000000007507B000-memory.dmp

    Filesize

    5.7MB