Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Resource
win10v2004-20241007-en
General
-
Target
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
-
Size
78KB
-
MD5
83b27d364390c72c4e2e7f40987a6fc0
-
SHA1
3513ba5080ad679d18aa7c390d88e143da07890a
-
SHA256
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28
-
SHA512
43c4529f562df253bbfa31fdf5436c5b0f60e1e9bd9c5243a4f2bf1641e4e394f3f28cd21d651ac2c7cda8f97afe23121edcda78e029002e510636bfee78d59e
-
SSDEEP
1536:PuHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRd9/U19K:PuHYnh/l0Y9MDYrm7Rd9/B
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2208 tmpC3DB.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpC3DB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC3DB.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe Token: SeDebugPrivilege 2208 tmpC3DB.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2980 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 30 PID 2100 wrote to memory of 2980 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 30 PID 2100 wrote to memory of 2980 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 30 PID 2100 wrote to memory of 2980 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 30 PID 2980 wrote to memory of 2920 2980 vbc.exe 32 PID 2980 wrote to memory of 2920 2980 vbc.exe 32 PID 2980 wrote to memory of 2920 2980 vbc.exe 32 PID 2980 wrote to memory of 2920 2980 vbc.exe 32 PID 2100 wrote to memory of 2208 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 33 PID 2100 wrote to memory of 2208 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 33 PID 2100 wrote to memory of 2208 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 33 PID 2100 wrote to memory of 2208 2100 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe"C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\erhnjw6c.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC478.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC477.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56df0b733d9caa156ac03ddcfb3233f05
SHA115965f56e619d727344b2d164857a7786ff0bb89
SHA256a818df524e066593cba14cec681aaebef827b509b884f4d30d796011f0b2a2b8
SHA512beabddb25f973c2296d3f4671ffef4449a579caa29b53e6c48b11c6a6d3212c12803d56b2d7a9ba78fde858ce597492ae379d1c9da6ee4287b9c2259284bb082
-
Filesize
15KB
MD53afb7d59a51baa8b1473b7be376f3d97
SHA160d32a61a2fc868258e1fe6ec47435fa17c8a045
SHA256f21826869ce1ce5a1d7bf755d29bd5f899c49eb56ba21f53c99f242fcc3fe8ed
SHA5120da28127831db793ecdb293eeed6f6fce3f0f4a597b8446c7de7682756cc0f8097e4382a37b4993b14b01af0f84711594f6b6d4a5274fbaf098f925f7f2e74a0
-
Filesize
266B
MD518c2e1ed4c919c72347d7033e9935de3
SHA1d68fb924695feba2f25630809e46127bc7a33a65
SHA256fc0c880a5305e718605f2f53be70f93c496a5cbe936fcd975aaf60c3aefb4556
SHA512fabb9f8bf24cb8d5e684ad8567d43d9442d17024bd79b43bb63a39291109d943fd49537c4dcdcac0b4fc3183294378933c0c2b3183cc39f2655417e0c888680a
-
Filesize
78KB
MD50d943cf9b71cb4a51925ffbe14a08041
SHA1d651009bcf870f69945bcd064e331d46e27af85f
SHA2561cc7b171c5181c6fdacf0feac47b8ea4d9f467cf498953a26956c9fd8d139e5f
SHA51241109308498d7ded61ca678fd8900e4d637e21b2bf10cda4f1366af2ccf62a1c74334d0cd4f08fe9b1cadf94018a624449e328f1c9350b2e307d98ad57385a78
-
Filesize
660B
MD5e64f9fa747851e9215931ce73618b274
SHA18fb41ad49cf070609473ced2a985ca930d68d559
SHA256332b5d6fbbb7d311ad130384d4ffcb8a2ac08b9ea8699eb0c626d6b9bd0ed7ae
SHA51273618c3e3202d147e93c81951cfe7f30f675322ef41e92bb98cdd4dcb4c0299935b619e382beaf00deea7140fb506bccd54bb6b44de42dc4a29d098197bfe8ff
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d