Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2025, 08:06

General

  • Target

    f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe

  • Size

    78KB

  • MD5

    558aa0c0dd943b4874c510bbfab3af85

  • SHA1

    060347d6e8a9dd5619c48349c2a1abb5e846fd5d

  • SHA256

    f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751

  • SHA512

    8316a939211f7242bbf21fdf35569a4e29ae3cc5eee717e8ed58d5d20c678fe4fb5c43698727299d4939708856562dea45a24b2512a396ad7a96d5be1ed49536

  • SSDEEP

    1536:UV5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty689/51on:UV5jSpSyRxvhTzXPvCbW2Uk9/e

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
    "C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwab4lok.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC498.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC497.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2108
    • C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESC498.tmp

    Filesize

    1KB

    MD5

    4c9b060d6117e19fab58b72345d7d5a3

    SHA1

    6cc7a35fda4b359b0dd5cc467b077be89b3d51e6

    SHA256

    2fe247725f761b1801d4e7f493e5bd9a91d6fee28400d98967b2f14554568e6d

    SHA512

    f4d58d523dbf8382f964004afd4644e93f44ba50db33a642ec9fd4669047c3d2c832acdf8c8d474fe6b874d7103b004e649936b39a9844fff4e43d125af0bc7d

  • C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe

    Filesize

    78KB

    MD5

    e853b85f28f718f4e65f3c17bef3f3d9

    SHA1

    eb1c88368a4b3f7881b331c32e8f7de72baa4aa1

    SHA256

    407e8a63867a0f5cacdd4f0c8af5bc560b7d2de6ae3558109a2a9ef597d7a935

    SHA512

    6262ae595b468df4a5e210cc91fa376883411c6e9df865531cece273546cdddc77ae24eb8233170b697691679f12430a498c0ccbc526f93b2cb59dc9b8dd4eff

  • C:\Users\Admin\AppData\Local\Temp\vbcC497.tmp

    Filesize

    660B

    MD5

    9c3ac29eae6af1a586731edd9baab894

    SHA1

    398459ce53eef68a8b87c1ae3a7beb2688309951

    SHA256

    82cb8d0855e20a21d5dbc6889908884f4529ddbb21e9b795687b728283692b9d

    SHA512

    42cd2dcd5e1212d3db3c7e42bb13d550133a870530b98f7c7c5ad7be583bcf726b5b9e8b00ac758913e4978b374756862eea4bc26aa8bbeb1e57d24744e6a4e7

  • C:\Users\Admin\AppData\Local\Temp\vwab4lok.0.vb

    Filesize

    14KB

    MD5

    c4b079815e784f03707fc8115163e9f4

    SHA1

    bdae512cbf017360da7d5af01ffe15f1810ce961

    SHA256

    09829128016a09beae4dcdc810bbaa7cee5d34e6e91165ee2b912a2d57f6f56f

    SHA512

    06824e0a4b461fc3653923ff7f2a54b1706f94ae50f08ffdb1e4c77f3340796c80cea19969c3182b4e7aec019c2a27edbe8036108bf80d443be56479f484de20

  • C:\Users\Admin\AppData\Local\Temp\vwab4lok.cmdline

    Filesize

    266B

    MD5

    6fbe7b1e1d61e43fbea99f4ceb7a347e

    SHA1

    5b80364e9c5fba091fe92ce1b05f9d1eee340e40

    SHA256

    b21fb24f560e23f1005066f2b0e4dc55627695e7e27ff0546ac956194de5ec5a

    SHA512

    dd9ba6f545609fa81b38a67b18b54e6a54d9f0c204edb742c471a41e8ea664543b0a1671a9c760d2c665000eacde3f6a90f43231e8b7788910f964e7d88bf176

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2112-0-0x0000000074771000-0x0000000074772000-memory.dmp

    Filesize

    4KB

  • memory/2112-1-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2112-6-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2112-23-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-8-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-18-0x0000000074770000-0x0000000074D1B000-memory.dmp

    Filesize

    5.7MB