Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/01/2025, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
Resource
win10v2004-20241007-en
General
-
Target
67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
-
Size
78KB
-
MD5
89acae0ecba8842f2155d1d63206ffb9
-
SHA1
19504e1af0cca38865d49dedc483874db86f778f
-
SHA256
67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09
-
SHA512
2feefbec53cb5dd9868178929bd08b0de9e97f171d0ceed888c5257a3b3ef16a92372d422dcdf1473c8d05fbaaf61a12751aa0be9d1479506440ac00490f7f0a
-
SSDEEP
1536:XuHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte29/61Ys:XuHF8hASyRxvhTzXPvCbW2Ue29/G
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1740 tmpC986.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC986.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC986.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe Token: SeDebugPrivilege 1740 tmpC986.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2400 wrote to memory of 1268 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 30 PID 2400 wrote to memory of 1268 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 30 PID 2400 wrote to memory of 1268 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 30 PID 2400 wrote to memory of 1268 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 30 PID 1268 wrote to memory of 2764 1268 vbc.exe 32 PID 1268 wrote to memory of 2764 1268 vbc.exe 32 PID 1268 wrote to memory of 2764 1268 vbc.exe 32 PID 1268 wrote to memory of 2764 1268 vbc.exe 32 PID 2400 wrote to memory of 1740 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 33 PID 2400 wrote to memory of 1740 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 33 PID 2400 wrote to memory of 1740 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 33 PID 2400 wrote to memory of 1740 2400 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe"C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g4ti6laa.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB5A.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp.exe" C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a2ccf4e94b8132bdc50a06cb7048a002
SHA106eacad94597ed50a3a63d2d9dd39069264c4a72
SHA25648b1ec4a6229effa3ffaa4c0a8d24a059972babc91f7dc7f70319aede4012af8
SHA512cc987c5dd61debbd0ca8509be1a35e602c26dff6bfa834ad9a7b50f3d51f7bf626f43a97f0c3e5727db28d29f8877896feb1b74f660f5e4e5a258f32a80d7242
-
Filesize
15KB
MD5dfa3fc99eeb2a6f8020bf1fc293e3bfd
SHA1c12fd48f31ae5753e4db7de7d6446c18df2116d6
SHA256711b908d61edc9dc1fa38d0af9a60c9570ee058a73d3ae941b955b9a7b6976c4
SHA51234df6f74b52b778fcc0961d476ad5ebeda333f969775333091f2a811ff6d20c33965f0274a4c95ee3897f546c4e79fd6756b9ef6a96e936db18278b88c12fa57
-
Filesize
266B
MD5edef480a6edd7aac11ba854badf61f90
SHA15d406a71cacca89b7d81bfcbf8cd98f726bf7a2a
SHA25611c182220b0efb5403efdffea52e46993ddea235f4cd77d65a2518c3c3e256ca
SHA512327cbce210737c67ae4e6e7b2373a0bf0918698874c5c3e8fe63762ba471fee2f3801d115a610093bd31e26a1e66eea6ba2cf1a48afa58a88cf636744fa929b2
-
Filesize
78KB
MD5f2bff4420f9450f007c7b186c228b44f
SHA14f9dcdd4f2ee8fd84a258130b24d79ab86804b16
SHA25694dee2e6d0f1df059f2502e4d35eea31ca29c846d49d756c7adba936c907bc6a
SHA512c147ba523b4f7ad106b11fc219b652b812b01fa5b10c395e01e191d67b01c34793b0c88ef39438751d6d2d1534c96610bf1ca8076fd30ba0360833b9d65ffc6b
-
Filesize
660B
MD58e7b360f3458b99428cc2c1008942566
SHA105494aa6abebad6a1bd5196221fa512f134b5983
SHA25659a41ab9144770c05303d84a690216a08e1a186d2bf3c4f9de8cbdc905f2312c
SHA5122e6e09b058649f0b38cfd3a5eb38b8e5f3c16b36448174c8cb29cee220b06369eb8c9c66adf1ec30688aab20640cbdf526d98f308e1bfeb188492787f54617e0
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c