Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/01/2025, 10:25
General
-
Target
f5ff276195ae5dc152b945ee085ea6158da8a9c1bb758450d407658d7c54761a.exe
-
Size
78KB
-
MD5
4a3c91beb7649857fe449363a31dbb26
-
SHA1
1d62115f261128f4b23a60bc96eaf79b5cb0801f
-
SHA256
f5ff276195ae5dc152b945ee085ea6158da8a9c1bb758450d407658d7c54761a
-
SHA512
30ee1dda010a3e861860e188ba7127f2a2d86669b5f419366edcefe3f0d0b8bb4d721be4d557cc68c245211ad3ac5207c249f1fa453e6b7f3b33d8cbc289f100
-
SSDEEP
1536:EPCHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt1X9/a1o0:EPCHa3Ln7N041Qqhg1X9/C
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5ff276195ae5dc152b945ee085ea6158da8a9c1bb758450d407658d7c54761a.exe"C:\Users\Admin\AppData\Local\Temp\f5ff276195ae5dc152b945ee085ea6158da8a9c1bb758450d407658d7c54761a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nwtvpagf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AF2D2C074C140559DAFF710FFDBE631.TMP"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f5ff276195ae5dc152b945ee085ea6158da8a9c1bb758450d407658d7c54761a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD523a998079a42f51af662793897916420
SHA1757a8630dd2d00641a1773adb5b3fbb1ee3f3785
SHA256ac28c6e0d1c291d1f7c43c843e270e4389753b8ea19a387577e1bbbfa9a51b96
SHA512ab7b9b4bdb0e543151a07688a4ecc7e230738c20203574a1a54af690cca30ba2906d9ff20aa233b8171ad4da5b855c8194bcdb59da5631e0d47e30d256c96d21
-
Filesize
15KB
MD5d823140ae64d326aaa1bd9a529257eab
SHA13f46911795887d67a0f043e62dbc28a00173c0f8
SHA2569b18a6bc3d0373a03cea92866e98c64801cc148eecc1e0761e79165827348b3c
SHA5124a922fcfaac9fb0800d2fbe9b2d744b6beb485c814f356dc4fbce95ee0a9f202c2e04ff4a31215947715d554e5f260aefcf65ef69cbead5238981f0b40f8eb5b
-
Filesize
266B
MD5f6c47afdc9416a904eb8506d499bb1bb
SHA1745ea599ee021246840059a144338c31626b7404
SHA25600ffd4191436619adff6086667ce85cfb416558d9f2eaab7b3cbf592675e8856
SHA5124401d9b3c8c2c8a4f8be66351fbde1df1d808cb7ff9a1e402d57329a31752e63a013a1173cd93c48bd2fab83996f287ba4cde11934f31a817ea137089be2f8c3
-
Filesize
78KB
MD52940618e019e2550b4c9334e9f46aa58
SHA14df8a418c266d3efcd88401e66565d0d794c4903
SHA2563e1174507e4a50fb0ad95c0fedf7a69be62e3970912bd0ee6a08e60842018a4d
SHA51269d86bbeca409ae85d5dcc43b820be1bb2228275211993b3221830917e7fb4b883117378fc2bd9a83e3c4823cb914bf732f5702cb8f061915b138159b8c965ef
-
Filesize
660B
MD553d998327a266001ee5b1bc9e37bcc7f
SHA1f231b916d139e4c90dc7126715a18e34c0c17118
SHA2569c3787bf33f712389e480c4ae4ab4a6e430efff0778e5a82d87c51246cec3d98
SHA5121a320796745097896db6f171a79d3666ac8b96073caa44d0f464d1bafffea45a4d8cf806eac90818d97a22e6ae1b679275c51e35fa9c744a30cad71c13375267
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB