Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2025, 10:33

General

  • Target

    0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe

  • Size

    78KB

  • MD5

    0df3110a86b2ad893c527cf4cf89cfc8

  • SHA1

    c2742c7fff7c3203a89fbf462ac7f15a1a8b0fde

  • SHA256

    0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc

  • SHA512

    2849e5b61120f8f90e7ec17be598bfb8308442a2c073e0cc7fd461649732c86cb7b411fb162230c7674390ad320954ef153b82a6d6688c7e0f31826799979ee8

  • SSDEEP

    1536:GHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/V1evZ3:GHshASyRxvhTzXPvCbW2US9/M3

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
    "C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r7soaayb.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA20A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA209.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3052
    • C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA20A.tmp

    Filesize

    1KB

    MD5

    f7419db5fa8ada032dcdfd1777aa8f1f

    SHA1

    fba4117a2a399423c7163f33aef3f3b35124c135

    SHA256

    81b9ef61b7ca48edbad5c61301f2745cdd0cb96a47a9da5b62eca4d12e5d1701

    SHA512

    d7d6911b5f29bfae3ad5b85325002791279755ca5e4bdcfe495ed909c323e1364823c6c7e06ecde285136687ee38278698de0e5d27948900dd895bb3bb47dc5d

  • C:\Users\Admin\AppData\Local\Temp\r7soaayb.0.vb

    Filesize

    15KB

    MD5

    8663d09596fd08b324b50a3c2baa1cc2

    SHA1

    575b5546465556e564c3ea5ae8d1dc66d01ef8c4

    SHA256

    829d76ba594138dfaa2b770d4deefe16d634bcbbe4614c01c22c6179a7f9cce7

    SHA512

    c045b91cfb585f61d2d74ed9c57c60c6472635b60eba09f32bca2707950ab17fc20e37fad9286fdb3c2ebbc5bde95c3a582ca830122c879672bb77cbf4da0bf2

  • C:\Users\Admin\AppData\Local\Temp\r7soaayb.cmdline

    Filesize

    266B

    MD5

    0a02d1ed14d3f0dd698a3d2804bba1cb

    SHA1

    2800ae5cba74901042c95da2cae4ac9a011cb3a1

    SHA256

    e2206c2a68d55b1dfdbbfec472ff0c3d9aabf7b6a02104f961b225f79c6ecb78

    SHA512

    ae4de91b827ef454eb95c33f29b1c245df765f970e86fb9730c1cac2f3fe05d3bb024204e313a46d148892c25c0641a69e36e2f18d074c47741901295483b46e

  • C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe

    Filesize

    78KB

    MD5

    7b1ca6160570d3dd369ea08ba9288d6f

    SHA1

    38f6d4234b6b2f36c46769c18e42ecb1ecc4033e

    SHA256

    3698060c7679b14ec7b6ee9e3e9037e6dbab63d8c1e4fcc3f3b9361a8458f7b9

    SHA512

    8203c8d74c3ca57ddf16cd9bafe10f24501607b95bdc6a60b0528040e491476316b106e42b79a0f7c27161ea991d03c00bc0d02e29ef1c901836452a85c7bce4

  • C:\Users\Admin\AppData\Local\Temp\vbcA209.tmp

    Filesize

    660B

    MD5

    fc5d88d1ea9356afc6e9512d4b2c29f0

    SHA1

    e1a3ee879846cbdf2564ce07f52b7e16b7dcef55

    SHA256

    59af5c4977dbf9d92da7d68296c64287ca3313bfbb6000f9affeb2138f172fe8

    SHA512

    5ca4fc84377f7c1902e5a5da34258d3cc74813b9fa2bd9f3239b98a82446e6ac503f51c13b57f3802f9e99ba3a2c39470f2f297ea3b5c4665dfb6437498e90fb

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1316-0-0x0000000074F41000-0x0000000074F42000-memory.dmp

    Filesize

    4KB

  • memory/1316-1-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1316-2-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1316-24-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1324-8-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1324-18-0x0000000074F40000-0x00000000754EB000-memory.dmp

    Filesize

    5.7MB