Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Resource
win10v2004-20241007-en
General
-
Target
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
-
Size
78KB
-
MD5
64d6e93324b0895e0b790c167a579393
-
SHA1
2f4d390f82feb9513e2decbd8b2165340e3a33f0
-
SHA256
8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70
-
SHA512
05328cf8d036b879b8e05e99b8347c306e8551ca9dde63b31eb2b1f02190de3308d179f8b46169e7e2489224dee78806d76165b4f5dfbef5a6af43045c96a552
-
SSDEEP
1536:SRWV5iXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6O9/I1mHd:SRWV5aSyRxvY3md+dWWZyl9/Vd
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 tmp732C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp732C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp732C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe Token: SeDebugPrivilege 2896 tmp732C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3216 wrote to memory of 3960 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 82 PID 3216 wrote to memory of 3960 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 82 PID 3216 wrote to memory of 3960 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 82 PID 3960 wrote to memory of 2880 3960 vbc.exe 84 PID 3960 wrote to memory of 2880 3960 vbc.exe 84 PID 3960 wrote to memory of 2880 3960 vbc.exe 84 PID 3216 wrote to memory of 2896 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 85 PID 3216 wrote to memory of 2896 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 85 PID 3216 wrote to memory of 2896 3216 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8bm0tase.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD66FA52677654E0A8DB75590FAAC324.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD590dfa54f30ed1ca7ffca4d0cce1f56cd
SHA12efbc2967e28c2cc816ead4823f7449a65c7e6ab
SHA25660774f6cc6136bfe86c8abd5cd45aa5905e766918e263c6c3e625eb6cc951873
SHA512b8766014fb422726a904447f54d1545d57dffde9a64776cdf8be89c431f2b549372e44a906cd4e9f8bdf86968f49bf7fc162a59e989a8d4669a0fb418de10e6c
-
Filesize
266B
MD5986bcce039bd8746565916b94c935e3c
SHA1dd3c746efa2eaeeac2433d5d055bc002c9921efd
SHA256c28105f2aa4a540d7d94a13fcbeeb2aff581209e215c12c3288e673ceae2b56a
SHA512ba1aa8e3b62eb6ded09ab176fdcc5202576de63b02e24964c920318325c442bbd63242389dac45b9480f7d42435a68ffb8ae6a836d26ca8466984faafa347b49
-
Filesize
1KB
MD5fe5bd8327119cb959549d953faa93140
SHA131b5c124d988e1af3b0852c81ad2a6cbaf8ea077
SHA2563ed81aae60124cb41ff4e5f808356808010d878a67365ac60664508057097b28
SHA5122a8436bb47f1e722b733549f054eb64856ff2d8dd5f19b38b0577b5eed95dcb5333ab2a4f4b47fa14379bb97c358ed43e14a6b7c2a37b73d09f3a14a5ac5e237
-
Filesize
78KB
MD5631af5829e07aa65981bd0adbccc7e73
SHA15f92acd30dd0f1f59195c0b41a77341552885f76
SHA256187d04f325d2192e534b60e0f2aec543f8756f0311f6539ab96275357fd02bdf
SHA5125dd6a1d8429771bcf870d63c9fa4ec8e2cd78a5509718742c9688cb313225dbbc3343b9a24865980570185480d4049ee1d9578726d4ed99201ef5c8ec3316d69
-
Filesize
660B
MD541c5571a86a694661033dcf89abacec2
SHA18686307fb0d718805bb011984a8601e35aa5bd6c
SHA2563114dff7205f261d1b6113ba70eb0e32b52316bac089c56bf14a19de613fb2a6
SHA51257bf2a5858deb33450de3352cd24518a1d8a8570044073d74aa489d6770fa4876dbb2df21e9563076a2592d5cff4a2ef27bd28eb45de61b95e29d44fab60371e
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107