Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2025, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
Resource
win10v2004-20241007-en
General
-
Target
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe
-
Size
78KB
-
MD5
558aa0c0dd943b4874c510bbfab3af85
-
SHA1
060347d6e8a9dd5619c48349c2a1abb5e846fd5d
-
SHA256
f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751
-
SHA512
8316a939211f7242bbf21fdf35569a4e29ae3cc5eee717e8ed58d5d20c678fe4fb5c43698727299d4939708856562dea45a24b2512a396ad7a96d5be1ed49536
-
SSDEEP
1536:UV5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty689/51on:UV5jSpSyRxvhTzXPvCbW2Uk9/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe -
Executes dropped EXE 1 IoCs
pid Process 3104 tmp8405.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp8405.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8405.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe Token: SeDebugPrivilege 3104 tmp8405.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4700 wrote to memory of 1248 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 83 PID 4700 wrote to memory of 1248 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 83 PID 4700 wrote to memory of 1248 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 83 PID 1248 wrote to memory of 2828 1248 vbc.exe 85 PID 1248 wrote to memory of 2828 1248 vbc.exe 85 PID 1248 wrote to memory of 2828 1248 vbc.exe 85 PID 4700 wrote to memory of 3104 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 86 PID 4700 wrote to memory of 3104 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 86 PID 4700 wrote to memory of 3104 4700 f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe"C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c5yarxew.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72B895D98ED74F308936306A25152B50.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8405.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8405.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f7f4bea88a1585dcef3b51e99c722960e01ba822bd8df5c6c546dac1cec07751.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD500a6cb880d74c617019fec9ae9ea52ce
SHA130e5dc63bd1526ea8957d15503d53f4daee35a7b
SHA2568d6dfd11b2bf2eff1eb6842b14e976ac04cc52fb812c3e741d0c2c640d71be33
SHA51285b381e1b0c00011cddcea51abd7070568542ef00d1ef9b651f6a4456d0ccec37728b01d35919b5551a9aad145bf1cc4aa7a9b26c0993dc0eade8c4e40da95c3
-
Filesize
14KB
MD57400cdcdd9316f63936d740939163bf5
SHA15f6e5c9f124e9046192a9a081d2a50cd70e33358
SHA25691cd25dc87dee29de41ba107f8a4d0499b8533998fa7908c21ad58f3d26f62c8
SHA5123dbb9edf0efdf6921e1d79d81200e4fa07b471ce0e2a2b8f273204552b6cca245159e09899e9c160e73b95248218df54c07101bc3a728787cd279cf8355ee8f5
-
Filesize
266B
MD5659f7f9b49e93cf292166d945490fc3a
SHA15380729e35a374e51184c69a658e8940840ac4c8
SHA2567abc1758bd7f1ff36f8b1be1d6137a92e73966da1b2b1237d0db4feb17252a11
SHA512b3dfad232bb367d5d10f1d1fa6335b9ace40f8203ac71c11c89908186ea2200199933b2e66383b278ca51617ccbee5464e51ca253c6e1f6381970d2c54aced59
-
Filesize
78KB
MD5fa7af9cc0e1b485b3e8c9ba200568932
SHA13213d77ddeff589f353ea19ae647e17c80440c1e
SHA2566ba662c7af04b151be8af831bfa6cd24588a49e2698313be74c49f27d9d6607e
SHA5122b2fddc05b9305d0c5176d529b3f7bc8a901776cc8f1e1dc77b9b37569d2bddb5da81ba21275734e3511a5b9cc43ffd20dd40a550bb36845bc730a574d93e0a3
-
Filesize
660B
MD55362a72f83adadd4d3b5fa4a1fc1c493
SHA1bb0adf61ae71ca56844fb932350dda2008f9bb0f
SHA2565c8590d73efb9b6fca301da602c533e2cf56bf44488db3b8d3f7f1c26f3b9629
SHA512361c26c24e676044653fb1bec52d8abd5d2cf41c45a61cfa7795bbc4aff69dd632c462d58a2f2e354508a1a25a98afdc498af07f3957ed50e7097ac63f2520aa
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c