Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2025, 01:13

General

  • Target

    67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe

  • Size

    78KB

  • MD5

    89acae0ecba8842f2155d1d63206ffb9

  • SHA1

    19504e1af0cca38865d49dedc483874db86f778f

  • SHA256

    67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09

  • SHA512

    2feefbec53cb5dd9868178929bd08b0de9e97f171d0ceed888c5257a3b3ef16a92372d422dcdf1473c8d05fbaaf61a12751aa0be9d1479506440ac00490f7f0a

  • SSDEEP

    1536:XuHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte29/61Ys:XuHF8hASyRxvhTzXPvCbW2Ue29/G

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
    "C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g4ti6laa.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB5A.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
    • C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp.exe" C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESCB6B.tmp

    Filesize

    1KB

    MD5

    a2ccf4e94b8132bdc50a06cb7048a002

    SHA1

    06eacad94597ed50a3a63d2d9dd39069264c4a72

    SHA256

    48b1ec4a6229effa3ffaa4c0a8d24a059972babc91f7dc7f70319aede4012af8

    SHA512

    cc987c5dd61debbd0ca8509be1a35e602c26dff6bfa834ad9a7b50f3d51f7bf626f43a97f0c3e5727db28d29f8877896feb1b74f660f5e4e5a258f32a80d7242

  • C:\Users\Admin\AppData\Local\Temp\g4ti6laa.0.vb

    Filesize

    15KB

    MD5

    dfa3fc99eeb2a6f8020bf1fc293e3bfd

    SHA1

    c12fd48f31ae5753e4db7de7d6446c18df2116d6

    SHA256

    711b908d61edc9dc1fa38d0af9a60c9570ee058a73d3ae941b955b9a7b6976c4

    SHA512

    34df6f74b52b778fcc0961d476ad5ebeda333f969775333091f2a811ff6d20c33965f0274a4c95ee3897f546c4e79fd6756b9ef6a96e936db18278b88c12fa57

  • C:\Users\Admin\AppData\Local\Temp\g4ti6laa.cmdline

    Filesize

    266B

    MD5

    edef480a6edd7aac11ba854badf61f90

    SHA1

    5d406a71cacca89b7d81bfcbf8cd98f726bf7a2a

    SHA256

    11c182220b0efb5403efdffea52e46993ddea235f4cd77d65a2518c3c3e256ca

    SHA512

    327cbce210737c67ae4e6e7b2373a0bf0918698874c5c3e8fe63762ba471fee2f3801d115a610093bd31e26a1e66eea6ba2cf1a48afa58a88cf636744fa929b2

  • C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp.exe

    Filesize

    78KB

    MD5

    f2bff4420f9450f007c7b186c228b44f

    SHA1

    4f9dcdd4f2ee8fd84a258130b24d79ab86804b16

    SHA256

    94dee2e6d0f1df059f2502e4d35eea31ca29c846d49d756c7adba936c907bc6a

    SHA512

    c147ba523b4f7ad106b11fc219b652b812b01fa5b10c395e01e191d67b01c34793b0c88ef39438751d6d2d1534c96610bf1ca8076fd30ba0360833b9d65ffc6b

  • C:\Users\Admin\AppData\Local\Temp\vbcCB5A.tmp

    Filesize

    660B

    MD5

    8e7b360f3458b99428cc2c1008942566

    SHA1

    05494aa6abebad6a1bd5196221fa512f134b5983

    SHA256

    59a41ab9144770c05303d84a690216a08e1a186d2bf3c4f9de8cbdc905f2312c

    SHA512

    2e6e09b058649f0b38cfd3a5eb38b8e5f3c16b36448174c8cb29cee220b06369eb8c9c66adf1ec30688aab20640cbdf526d98f308e1bfeb188492787f54617e0

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1268-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/1268-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2400-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

    Filesize

    4KB

  • memory/2400-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2400-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2400-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB