Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Resource
win10v2004-20241007-en
General
-
Target
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
-
Size
78KB
-
MD5
0df3110a86b2ad893c527cf4cf89cfc8
-
SHA1
c2742c7fff7c3203a89fbf462ac7f15a1a8b0fde
-
SHA256
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc
-
SHA512
2849e5b61120f8f90e7ec17be598bfb8308442a2c073e0cc7fd461649732c86cb7b411fb162230c7674390ad320954ef153b82a6d6688c7e0f31826799979ee8
-
SSDEEP
1536:GHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/V1evZ3:GHshASyRxvhTzXPvCbW2US9/M3
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1832 tmpA035.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpA035.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA035.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe Token: SeDebugPrivilege 1832 tmpA035.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1316 wrote to memory of 1324 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 28 PID 1316 wrote to memory of 1324 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 28 PID 1316 wrote to memory of 1324 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 28 PID 1316 wrote to memory of 1324 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 28 PID 1324 wrote to memory of 3052 1324 vbc.exe 30 PID 1324 wrote to memory of 3052 1324 vbc.exe 30 PID 1324 wrote to memory of 3052 1324 vbc.exe 30 PID 1324 wrote to memory of 3052 1324 vbc.exe 30 PID 1316 wrote to memory of 1832 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 31 PID 1316 wrote to memory of 1832 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 31 PID 1316 wrote to memory of 1832 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 31 PID 1316 wrote to memory of 1832 1316 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r7soaayb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA20A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA209.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f7419db5fa8ada032dcdfd1777aa8f1f
SHA1fba4117a2a399423c7163f33aef3f3b35124c135
SHA25681b9ef61b7ca48edbad5c61301f2745cdd0cb96a47a9da5b62eca4d12e5d1701
SHA512d7d6911b5f29bfae3ad5b85325002791279755ca5e4bdcfe495ed909c323e1364823c6c7e06ecde285136687ee38278698de0e5d27948900dd895bb3bb47dc5d
-
Filesize
15KB
MD58663d09596fd08b324b50a3c2baa1cc2
SHA1575b5546465556e564c3ea5ae8d1dc66d01ef8c4
SHA256829d76ba594138dfaa2b770d4deefe16d634bcbbe4614c01c22c6179a7f9cce7
SHA512c045b91cfb585f61d2d74ed9c57c60c6472635b60eba09f32bca2707950ab17fc20e37fad9286fdb3c2ebbc5bde95c3a582ca830122c879672bb77cbf4da0bf2
-
Filesize
266B
MD50a02d1ed14d3f0dd698a3d2804bba1cb
SHA12800ae5cba74901042c95da2cae4ac9a011cb3a1
SHA256e2206c2a68d55b1dfdbbfec472ff0c3d9aabf7b6a02104f961b225f79c6ecb78
SHA512ae4de91b827ef454eb95c33f29b1c245df765f970e86fb9730c1cac2f3fe05d3bb024204e313a46d148892c25c0641a69e36e2f18d074c47741901295483b46e
-
Filesize
78KB
MD57b1ca6160570d3dd369ea08ba9288d6f
SHA138f6d4234b6b2f36c46769c18e42ecb1ecc4033e
SHA2563698060c7679b14ec7b6ee9e3e9037e6dbab63d8c1e4fcc3f3b9361a8458f7b9
SHA5128203c8d74c3ca57ddf16cd9bafe10f24501607b95bdc6a60b0528040e491476316b106e42b79a0f7c27161ea991d03c00bc0d02e29ef1c901836452a85c7bce4
-
Filesize
660B
MD5fc5d88d1ea9356afc6e9512d4b2c29f0
SHA1e1a3ee879846cbdf2564ce07f52b7e16b7dcef55
SHA25659af5c4977dbf9d92da7d68296c64287ca3313bfbb6000f9affeb2138f172fe8
SHA5125ca4fc84377f7c1902e5a5da34258d3cc74813b9fa2bd9f3239b98a82446e6ac503f51c13b57f3802f9e99ba3a2c39470f2f297ea3b5c4665dfb6437498e90fb
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c