Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Resource
win10v2004-20241007-en
General
-
Target
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
-
Size
78KB
-
MD5
83b27d364390c72c4e2e7f40987a6fc0
-
SHA1
3513ba5080ad679d18aa7c390d88e143da07890a
-
SHA256
8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28
-
SHA512
43c4529f562df253bbfa31fdf5436c5b0f60e1e9bd9c5243a4f2bf1641e4e394f3f28cd21d651ac2c7cda8f97afe23121edcda78e029002e510636bfee78d59e
-
SSDEEP
1536:PuHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRd9/U19K:PuHYnh/l0Y9MDYrm7Rd9/B
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe -
Deletes itself 1 IoCs
pid Process 3956 tmp901A.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3956 tmp901A.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp901A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp901A.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe Token: SeDebugPrivilege 3956 tmp901A.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1876 wrote to memory of 3320 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 83 PID 1876 wrote to memory of 3320 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 83 PID 1876 wrote to memory of 3320 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 83 PID 3320 wrote to memory of 3480 3320 vbc.exe 85 PID 3320 wrote to memory of 3480 3320 vbc.exe 85 PID 3320 wrote to memory of 3480 3320 vbc.exe 85 PID 1876 wrote to memory of 3956 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 86 PID 1876 wrote to memory of 3956 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 86 PID 1876 wrote to memory of 3956 1876 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe"C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cberiwc1.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74DB9FCC96714890ACAE4FDB92BB31CA.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3480
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7885bbca7c984a8cd2a0edd8651215e
SHA1cc48a783d54daa405b8bac5a0c4877e3be8fc206
SHA25685aba5b3a9a74fe05e174168692726bbdc511382ca4250d690a0fd8d9e014103
SHA5122722fcbba0a121f2d6b9154947f9f692aceced6eb1b4b4b9d447bf1c9d2ffe7b735b50e962770d6251b45425301778c04e415ad19adb522726f12b3fef709d99
-
Filesize
15KB
MD59e5f375030fdec0f8fb50276038c7e68
SHA11d63eb419038b295e45896a6913e2552dd08edf8
SHA256b905d04ad08c7233c158c67d182cae8d7e6aa4742da8dd39c2d60374540a170f
SHA512634b48d84dc4a428f2a5407830f8e7bc6c0ffe407777bbd93cbedf190ad45ebc6bdff36b31aeb68d393b79576b88c7482a4b6e130683716dd71ca12c9bf81b25
-
Filesize
266B
MD5fe342ce6f88601e4c4a62334bf2a70ac
SHA12324bf1add43fbbfd1f50c36723dbd1d11366c2c
SHA25600bf7e584b1e2ea841d6807f6704c0ea47e8ff34b76311879e13be4530eae7cc
SHA512e9226b34715f6bc57fb6c62850cbe8abb280afaeb489e70bfe67c6a0f67dd85660a0c7fe1829dfc8f343fc53afc41968d3bbfbc691e995aafd4276b0d17e4114
-
Filesize
78KB
MD5f530a160f50e7430bdb6ff1abf4d26d8
SHA1675cd21e1b989a9ae61a1911aec19b0d848f4704
SHA2565baeb09de0f6ac4c0e40b80dc141933a9fd46b2c7b2d3edbf1f3955153b6024c
SHA51245f84fc02579d138da174ad6596a6812f358c32e85aeff71d3e88a8a479762767249a6ec42e597404b05d66dddc507343339cd9864674dc0e036cfb1f53209c7
-
Filesize
660B
MD5af1f8b64e3a3c34f3713a16b683cbc77
SHA138daac14a3b97d631fb54dfc8a64ad3c7c6ad545
SHA256b3cc8017e1c5ff245a93103fa3205eee15c3e5231d5f2d755887068d8387dc3a
SHA51238bf4571cbb8ed71af3b4cb3e897023334a99d30f2cfb86815c8a21805fd6b7fa8648ca4a9a09989dd671ffeaf4cb553a400c9549a3f331c017e1af60156f31d
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d