Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Resource
win10v2004-20241007-en
General
-
Target
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
-
Size
78KB
-
MD5
0df3110a86b2ad893c527cf4cf89cfc8
-
SHA1
c2742c7fff7c3203a89fbf462ac7f15a1a8b0fde
-
SHA256
0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc
-
SHA512
2849e5b61120f8f90e7ec17be598bfb8308442a2c073e0cc7fd461649732c86cb7b411fb162230c7674390ad320954ef153b82a6d6688c7e0f31826799979ee8
-
SSDEEP
1536:GHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/V1evZ3:GHshASyRxvhTzXPvCbW2US9/M3
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe -
Executes dropped EXE 1 IoCs
pid Process 724 tmp79A4.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp79A4.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp79A4.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe Token: SeDebugPrivilege 724 tmp79A4.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4060 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 82 PID 2988 wrote to memory of 4060 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 82 PID 2988 wrote to memory of 4060 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 82 PID 4060 wrote to memory of 2312 4060 vbc.exe 84 PID 4060 wrote to memory of 2312 4060 vbc.exe 84 PID 4060 wrote to memory of 2312 4060 vbc.exe 84 PID 2988 wrote to memory of 724 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 85 PID 2988 wrote to memory of 724 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 85 PID 2988 wrote to memory of 724 2988 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1mvhwghp.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF0938EE3A4494E9CBF1B683CA85CD4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp79A4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp79A4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5e811366df5a8415d6d7ad9371897e696
SHA11268e9e99726dcd17b5fb6be89760768065149d3
SHA2569f08d5d4861979442e4fc2969f4f84732cc8e2e56fd6cddd0050f11a8443a19c
SHA512ea779b87dd05c3c107a8b71905fbdbef187ae509e3f3c21ce511f7651c054081363e4c7cdf23341edc835d8414326107f3bbde65d80d393a067860a8bb610ba3
-
Filesize
266B
MD516432310495a96b048455be881043359
SHA148cc53a355864d824faac1a961472a6a21b8f644
SHA25613c4ead1d5537c7e1e9132e506d08c5c1ec0e5c70080664c16382e4414106323
SHA5124e458675b9d399d34ae8b7c927a81a8947baf62c69e39ad98c852faea2311a08f41718901c65219ff1672ef16d0d7b088ce23b10bcf47eb0c34c357daaefae38
-
Filesize
1KB
MD58d885cb9b2bab7a5802617bfd26596c0
SHA1950da5e2e6441c3fec4bf0f5e4735e5b3d8b5ec2
SHA256d16375f0de1678a42b8c54486a8b513da5bb995327854801af659b3d779734e3
SHA5120e2a46c3c2759d649c7bc3c064345ccaa2c9187aeafd230084db9ec2fe7b93c049cb9800c5fcea2b5d9ae9763fbbd21f0aa87e2712c0d415cead2863c62c5251
-
Filesize
78KB
MD5e21850654c611acbb8db5c0674859af4
SHA138d39ace0087cc5647181bb5e78035950316a05a
SHA2560102ae34018c3fdce7967a2bccf34dbd465bdc67c8346f1e3e5920444adf8486
SHA512f86a4239aefabac0c796d747f8f9f725aed4e59ac8e610739a983f4d9e6e0ce352cbbf33336410dbf826346a90519eb6ae50479bbab497bab3e4163d41b818ee
-
Filesize
660B
MD58de1d4aa59f71de7697298bac1718193
SHA10900bd33301eb4bf18472f847b57046baf858dc1
SHA2564ae76c4af8633c282b1d3b30152f2d162f7c180571fe0422f44c458b88f57c7b
SHA51291bad98417f1cfa422e275e3b49999e5484cd0e68ec23862e011df6e25686d21037b233d2316485dcc3b629411c6ba18db190b87fa025bdb41e48ee041d29871
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c