Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/01/2025, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
Resource
win10v2004-20241007-en
General
-
Target
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
-
Size
78KB
-
MD5
558aa0c0dd943b4874c510bbfab3af85
-
SHA1
060347d6e8a9dd5619c48349c2a1abb5e846fd5d
-
SHA256
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751
-
SHA512
8316a939211f7242bbf21fdf35569a4e29ae3cc5eee717e8ed58d5d20c678fe4fb5c43698727299d4939708856562dea45a24b2512a396ad7a96d5be1ed49536
-
SSDEEP
1536:UV5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty689/51on:UV5jSpSyRxvhTzXPvCbW2Uk9/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Deletes itself 1 IoCs
pid Process 1148 tmpC284.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1148 tmpC284.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC284.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC284.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe Token: SeDebugPrivilege 1148 tmpC284.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2344 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 30 PID 2112 wrote to memory of 2344 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 30 PID 2112 wrote to memory of 2344 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 30 PID 2112 wrote to memory of 2344 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 30 PID 2344 wrote to memory of 2108 2344 vbc.exe 32 PID 2344 wrote to memory of 2108 2344 vbc.exe 32 PID 2344 wrote to memory of 2108 2344 vbc.exe 32 PID 2344 wrote to memory of 2108 2344 vbc.exe 32 PID 2112 wrote to memory of 1148 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 33 PID 2112 wrote to memory of 1148 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 33 PID 2112 wrote to memory of 1148 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 33 PID 2112 wrote to memory of 1148 2112 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe"C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwab4lok.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC498.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC497.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54c9b060d6117e19fab58b72345d7d5a3
SHA16cc7a35fda4b359b0dd5cc467b077be89b3d51e6
SHA2562fe247725f761b1801d4e7f493e5bd9a91d6fee28400d98967b2f14554568e6d
SHA512f4d58d523dbf8382f964004afd4644e93f44ba50db33a642ec9fd4669047c3d2c832acdf8c8d474fe6b874d7103b004e649936b39a9844fff4e43d125af0bc7d
-
Filesize
78KB
MD5e853b85f28f718f4e65f3c17bef3f3d9
SHA1eb1c88368a4b3f7881b331c32e8f7de72baa4aa1
SHA256407e8a63867a0f5cacdd4f0c8af5bc560b7d2de6ae3558109a2a9ef597d7a935
SHA5126262ae595b468df4a5e210cc91fa376883411c6e9df865531cece273546cdddc77ae24eb8233170b697691679f12430a498c0ccbc526f93b2cb59dc9b8dd4eff
-
Filesize
660B
MD59c3ac29eae6af1a586731edd9baab894
SHA1398459ce53eef68a8b87c1ae3a7beb2688309951
SHA25682cb8d0855e20a21d5dbc6889908884f4529ddbb21e9b795687b728283692b9d
SHA51242cd2dcd5e1212d3db3c7e42bb13d550133a870530b98f7c7c5ad7be583bcf726b5b9e8b00ac758913e4978b374756862eea4bc26aa8bbeb1e57d24744e6a4e7
-
Filesize
14KB
MD5c4b079815e784f03707fc8115163e9f4
SHA1bdae512cbf017360da7d5af01ffe15f1810ce961
SHA25609829128016a09beae4dcdc810bbaa7cee5d34e6e91165ee2b912a2d57f6f56f
SHA51206824e0a4b461fc3653923ff7f2a54b1706f94ae50f08ffdb1e4c77f3340796c80cea19969c3182b4e7aec019c2a27edbe8036108bf80d443be56479f484de20
-
Filesize
266B
MD56fbe7b1e1d61e43fbea99f4ceb7a347e
SHA15b80364e9c5fba091fe92ce1b05f9d1eee340e40
SHA256b21fb24f560e23f1005066f2b0e4dc55627695e7e27ff0546ac956194de5ec5a
SHA512dd9ba6f545609fa81b38a67b18b54e6a54d9f0c204edb742c471a41e8ea664543b0a1671a9c760d2c665000eacde3f6a90f43231e8b7788910f964e7d88bf176
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c