Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 11:57

General

  • Target

    8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe

  • Size

    78KB

  • MD5

    83b27d364390c72c4e2e7f40987a6fc0

  • SHA1

    3513ba5080ad679d18aa7c390d88e143da07890a

  • SHA256

    8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28

  • SHA512

    43c4529f562df253bbfa31fdf5436c5b0f60e1e9bd9c5243a4f2bf1641e4e394f3f28cd21d651ac2c7cda8f97afe23121edcda78e029002e510636bfee78d59e

  • SSDEEP

    1536:PuHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRd9/U19K:PuHYnh/l0Y9MDYrm7Rd9/B

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
    "C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\erhnjw6c.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC478.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC477.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2920
    • C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC478.tmp

    Filesize

    1KB

    MD5

    6df0b733d9caa156ac03ddcfb3233f05

    SHA1

    15965f56e619d727344b2d164857a7786ff0bb89

    SHA256

    a818df524e066593cba14cec681aaebef827b509b884f4d30d796011f0b2a2b8

    SHA512

    beabddb25f973c2296d3f4671ffef4449a579caa29b53e6c48b11c6a6d3212c12803d56b2d7a9ba78fde858ce597492ae379d1c9da6ee4287b9c2259284bb082

  • C:\Users\Admin\AppData\Local\Temp\erhnjw6c.0.vb

    Filesize

    15KB

    MD5

    3afb7d59a51baa8b1473b7be376f3d97

    SHA1

    60d32a61a2fc868258e1fe6ec47435fa17c8a045

    SHA256

    f21826869ce1ce5a1d7bf755d29bd5f899c49eb56ba21f53c99f242fcc3fe8ed

    SHA512

    0da28127831db793ecdb293eeed6f6fce3f0f4a597b8446c7de7682756cc0f8097e4382a37b4993b14b01af0f84711594f6b6d4a5274fbaf098f925f7f2e74a0

  • C:\Users\Admin\AppData\Local\Temp\erhnjw6c.cmdline

    Filesize

    266B

    MD5

    18c2e1ed4c919c72347d7033e9935de3

    SHA1

    d68fb924695feba2f25630809e46127bc7a33a65

    SHA256

    fc0c880a5305e718605f2f53be70f93c496a5cbe936fcd975aaf60c3aefb4556

    SHA512

    fabb9f8bf24cb8d5e684ad8567d43d9442d17024bd79b43bb63a39291109d943fd49537c4dcdcac0b4fc3183294378933c0c2b3183cc39f2655417e0c888680a

  • C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe

    Filesize

    78KB

    MD5

    0d943cf9b71cb4a51925ffbe14a08041

    SHA1

    d651009bcf870f69945bcd064e331d46e27af85f

    SHA256

    1cc7b171c5181c6fdacf0feac47b8ea4d9f467cf498953a26956c9fd8d139e5f

    SHA512

    41109308498d7ded61ca678fd8900e4d637e21b2bf10cda4f1366af2ccf62a1c74334d0cd4f08fe9b1cadf94018a624449e328f1c9350b2e307d98ad57385a78

  • C:\Users\Admin\AppData\Local\Temp\vbcC477.tmp

    Filesize

    660B

    MD5

    e64f9fa747851e9215931ce73618b274

    SHA1

    8fb41ad49cf070609473ced2a985ca930d68d559

    SHA256

    332b5d6fbbb7d311ad130384d4ffcb8a2ac08b9ea8699eb0c626d6b9bd0ed7ae

    SHA512

    73618c3e3202d147e93c81951cfe7f30f675322ef41e92bb98cdd4dcb4c0299935b619e382beaf00deea7140fb506bccd54bb6b44de42dc4a29d098197bfe8ff

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/2100-0-0x0000000074541000-0x0000000074542000-memory.dmp

    Filesize

    4KB

  • memory/2100-1-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2100-2-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2100-24-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-8-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-18-0x0000000074540000-0x0000000074AEB000-memory.dmp

    Filesize

    5.7MB