Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2025, 10:17

General

  • Target

    8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe

  • Size

    78KB

  • MD5

    64d6e93324b0895e0b790c167a579393

  • SHA1

    2f4d390f82feb9513e2decbd8b2165340e3a33f0

  • SHA256

    8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70

  • SHA512

    05328cf8d036b879b8e05e99b8347c306e8551ca9dde63b31eb2b1f02190de3308d179f8b46169e7e2489224dee78806d76165b4f5dfbef5a6af43045c96a552

  • SSDEEP

    1536:SRWV5iXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6O9/I1mHd:SRWV5aSyRxvY3md+dWWZyl9/Vd

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
    "C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6b39ww9.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2788
    • C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp

    Filesize

    1KB

    MD5

    edbd075dde2a4eb44c4fc6f52e426b1b

    SHA1

    2d09e9df610060a59702fdede28ba38c0d9b4b92

    SHA256

    3c72477ae6953355f01470202e232ec74fc1f559d3cd6dfa01319892f100f9ed

    SHA512

    0abd8c73f438a7d18b368c6201fd484c7a4e92056b35d6b3a55ec691c49a36875082b447c0634816307dc70fc3002ef374d3697d77a66d0a9d221a0876756578

  • C:\Users\Admin\AppData\Local\Temp\d6b39ww9.0.vb

    Filesize

    14KB

    MD5

    de647232052679e0dc63feb6a2ef5808

    SHA1

    c64edba5680ce43466ee11ade815f05cf66350db

    SHA256

    7482c923f6bc713d389d7e33636b2e6e6a552962c3997d3af5525d6843637d41

    SHA512

    d0b4e235d83cabac7113fe3d4fcd972d84479d484cc0e2cf96ff77695754c36c201946d681c28226e500ece88739c3dd9445644101d4ec1929fb3b441e0247e3

  • C:\Users\Admin\AppData\Local\Temp\d6b39ww9.cmdline

    Filesize

    266B

    MD5

    322cde96c66d64e0fa8651c5a4491583

    SHA1

    1aa49c922239bd65617066fbe72968be6150c742

    SHA256

    72cdb5c0919133f1ef0da0124045a32357123bd45d2763fefa050cd506c5d8e4

    SHA512

    b5b5917582ef87ce24f30267d0575e0dba60afa9eeb61aca377d13b8b61764e10885fa0f5db257e647ca50af16d9cf186e8379c1e85813409a57129ceaf6727b

  • C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe

    Filesize

    78KB

    MD5

    7e9a2687c042856bef08f960c97d6ea9

    SHA1

    30a016fcbf962e4e1673721259cf768705daf2cb

    SHA256

    7684c433a74d6ac3c0fa062c88264c01306cd0916e733a721c6dbc517c34d6e8

    SHA512

    01b34be7ff8670b76d40e354ba18fd858a844ea8570af9c66297e20ea1e0a9cb3759ba869d500d98f58549e69d9f2ee891106aed06bdf1b035ca4bb47232edfe

  • C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp

    Filesize

    660B

    MD5

    b302d62d43d996b7d82cb7f58bcae392

    SHA1

    c07717723f70117bd89db4ca14592aa3f8d4027e

    SHA256

    54b381c18fc9128636cb4a6c0d155971089bf40fe489c772899060f34cd12c69

    SHA512

    5054c8bc1300570016fcae5ef9ce1908d0889025e513e72a302dba06e140661fdd4d4ddff37ffe9c35d21971da2aa8c94d26642f22071fe2ea8542c122a11281

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    4f0e8cf79edb6cd381474b21cabfdf4a

    SHA1

    7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

    SHA256

    e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

    SHA512

    2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

  • memory/2660-8-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2660-18-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2744-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

    Filesize

    4KB

  • memory/2744-1-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2744-2-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB

  • memory/2744-24-0x0000000074E70000-0x000000007541B000-memory.dmp

    Filesize

    5.7MB