Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/01/2025, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Resource
win10v2004-20241007-en
General
-
Target
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
-
Size
78KB
-
MD5
64d6e93324b0895e0b790c167a579393
-
SHA1
2f4d390f82feb9513e2decbd8b2165340e3a33f0
-
SHA256
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70
-
SHA512
05328cf8d036b879b8e05e99b8347c306e8551ca9dde63b31eb2b1f02190de3308d179f8b46169e7e2489224dee78806d76165b4f5dfbef5a6af43045c96a552
-
SSDEEP
1536:SRWV5iXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6O9/I1mHd:SRWV5aSyRxvY3md+dWWZyl9/Vd
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2676 tmpE7D0.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpE7D0.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE7D0.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe Token: SeDebugPrivilege 2676 tmpE7D0.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2660 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 31 PID 2744 wrote to memory of 2660 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 31 PID 2744 wrote to memory of 2660 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 31 PID 2744 wrote to memory of 2660 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 31 PID 2660 wrote to memory of 2788 2660 vbc.exe 33 PID 2660 wrote to memory of 2788 2660 vbc.exe 33 PID 2660 wrote to memory of 2788 2660 vbc.exe 33 PID 2660 wrote to memory of 2788 2660 vbc.exe 33 PID 2744 wrote to memory of 2676 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 34 PID 2744 wrote to memory of 2676 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 34 PID 2744 wrote to memory of 2676 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 34 PID 2744 wrote to memory of 2676 2744 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6b39ww9.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5edbd075dde2a4eb44c4fc6f52e426b1b
SHA12d09e9df610060a59702fdede28ba38c0d9b4b92
SHA2563c72477ae6953355f01470202e232ec74fc1f559d3cd6dfa01319892f100f9ed
SHA5120abd8c73f438a7d18b368c6201fd484c7a4e92056b35d6b3a55ec691c49a36875082b447c0634816307dc70fc3002ef374d3697d77a66d0a9d221a0876756578
-
Filesize
14KB
MD5de647232052679e0dc63feb6a2ef5808
SHA1c64edba5680ce43466ee11ade815f05cf66350db
SHA2567482c923f6bc713d389d7e33636b2e6e6a552962c3997d3af5525d6843637d41
SHA512d0b4e235d83cabac7113fe3d4fcd972d84479d484cc0e2cf96ff77695754c36c201946d681c28226e500ece88739c3dd9445644101d4ec1929fb3b441e0247e3
-
Filesize
266B
MD5322cde96c66d64e0fa8651c5a4491583
SHA11aa49c922239bd65617066fbe72968be6150c742
SHA25672cdb5c0919133f1ef0da0124045a32357123bd45d2763fefa050cd506c5d8e4
SHA512b5b5917582ef87ce24f30267d0575e0dba60afa9eeb61aca377d13b8b61764e10885fa0f5db257e647ca50af16d9cf186e8379c1e85813409a57129ceaf6727b
-
Filesize
78KB
MD57e9a2687c042856bef08f960c97d6ea9
SHA130a016fcbf962e4e1673721259cf768705daf2cb
SHA2567684c433a74d6ac3c0fa062c88264c01306cd0916e733a721c6dbc517c34d6e8
SHA51201b34be7ff8670b76d40e354ba18fd858a844ea8570af9c66297e20ea1e0a9cb3759ba869d500d98f58549e69d9f2ee891106aed06bdf1b035ca4bb47232edfe
-
Filesize
660B
MD5b302d62d43d996b7d82cb7f58bcae392
SHA1c07717723f70117bd89db4ca14592aa3f8d4027e
SHA25654b381c18fc9128636cb4a6c0d155971089bf40fe489c772899060f34cd12c69
SHA5125054c8bc1300570016fcae5ef9ce1908d0889025e513e72a302dba06e140661fdd4d4ddff37ffe9c35d21971da2aa8c94d26642f22071fe2ea8542c122a11281
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107