Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 03:14 UTC
Static task
static1
Behavioral task
behavioral1
Sample
bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
Resource
win10v2004-20241007-en
General
-
Target
bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
-
Size
78KB
-
MD5
3bca59494733119c7da105bcf6926a90
-
SHA1
144dba8062069502fe3700802f752a4a7a4cd28e
-
SHA256
bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0
-
SHA512
5e7a454a7619a176bc7f08e952053270af392db32d36225c136a5a960c31d9c22f9919495daa607323fba1825e71e407c01dd08b08d9a528616cf48d89a44418
-
SSDEEP
1536:fCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQti9/N1Ag:fCHF8hASyRxvhTzXPvCbW2Ui9/F
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe -
Executes dropped EXE 1 IoCs
pid Process 4528 tmpA3B2.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpA3B2.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA3B2.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe Token: SeDebugPrivilege 4528 tmpA3B2.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3584 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe 84 PID 1312 wrote to memory of 3584 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe 84 PID 1312 wrote to memory of 3584 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe 84 PID 3584 wrote to memory of 1868 3584 vbc.exe 86 PID 3584 wrote to memory of 1868 3584 vbc.exe 86 PID 3584 wrote to memory of 1868 3584 vbc.exe 86 PID 1312 wrote to memory of 4528 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe 87 PID 1312 wrote to memory of 4528 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe 87 PID 1312 wrote to memory of 4528 1312 bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe"C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akasju0_.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCD07DB4693949B9ABB533EAE9447FB.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1868
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request182.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbejnz.comIN AResponsebejnz.comIN A44.221.84.105
-
Remote address:44.221.84.105:80RequestGET /IP.php HTTP/1.1
Host: bejnz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Mon, 13 Jan 2025 03:14:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=7d3328319f1caa790f2403157ecb460c|181.215.176.83|1736738060|1736738060|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Requestrwkeith.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request105.84.221.44.in-addr.arpaIN PTRResponse105.84.221.44.in-addr.arpaIN PTRec2-44-221-84-105 compute-1 amazonawscom
-
Remote address:44.221.84.105:80RequestGET /IP.php HTTP/1.1
Host: bejnz.com
ResponseHTTP/1.1 200 OK
Date: Mon, 13 Jan 2025 03:14:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=f8665ca9c9d6f0d7e05f813098ee5c7a|181.215.176.83|1736738062|1736738062|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:44.221.84.105:80RequestGET /IP.php HTTP/1.1
Host: bejnz.com
ResponseHTTP/1.1 200 OK
Date: Mon, 13 Jan 2025 03:14:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=935db46173a1b63ebea26bed7b60ad6f|181.215.176.83|1736738063|1736738063|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestrwkeith.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestrwkeith.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestrwkeith.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestrwkeith.no-ip.orgIN AResponse
-
295 B 625 B 5 5
HTTP Request
GET http://bejnz.com/IP.phpHTTP Response
200 -
271 B 625 B 5 5
HTTP Request
GET http://bejnz.com/IP.phpHTTP Response
200 -
271 B 625 B 5 5
HTTP Request
GET http://bejnz.com/IP.phpHTTP Response
200 -
520 B 10
-
260 B 5
-
260 B 5
-
260 B 5
-
52 B 1
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
182.129.81.91.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
55 B 71 B 1 1
DNS Request
bejnz.com
DNS Response
44.221.84.105
-
63 B 123 B 1 1
DNS Request
rwkeith.no-ip.org
-
72 B 127 B 1 1
DNS Request
105.84.221.44.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
63 B 123 B 1 1
DNS Request
rwkeith.no-ip.org
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
63 B 123 B 1 1
DNS Request
rwkeith.no-ip.org
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
63 B 123 B 1 1
DNS Request
rwkeith.no-ip.org
-
63 B 123 B 1 1
DNS Request
rwkeith.no-ip.org
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dbaeca339384cbe1744952a881ed44ec
SHA155d793a190f3720c43a6f63029718ccf467d6219
SHA25631264e74c122465b63c7cd70bf4e1c0765728429888088914f3785e8dca1f6bc
SHA512bf4003d6c28645ec1264ca544c1e45358c53e79d4f4c95d3d3af66564e43930baf033302b7b9db35d5c731d71a90e1e17a938f47c9d64016368909ae6f308111
-
Filesize
15KB
MD515d39b428c89f5de203e999a769db9c1
SHA178c34767669220e887a909a2f03535ab0ee8189c
SHA2566ed9f9485ac75a4129665fb480599b6e993616f4852dde204cb6c675064a7dda
SHA51234f1a41d060ccef64cbe379cb9033ce3bd71e34d35e4bf0bd5d798b32a3844819326ffb2e76f7dc7c70070c9330b0418ec69a3e6d1703aa60c0571361d4fda6f
-
Filesize
266B
MD53506f880bf546bdbd71e31e118e21545
SHA117b334c6cd91ef2cb5ee037d52de92cd5084f340
SHA256d394b108187c4f2cee807e218b642f5222a6ebf4c5c48657a76a1b72bac61564
SHA51211e2f516783c71ee7dd79e8bd83a59b41d86a35eb45202e9cfe979e42984a277591d1327988e37debc93850ce6c4e13173828e6a0ca88e50aefa50e10d51b583
-
Filesize
78KB
MD5c800ff3d07e4286e9243c4995d858e54
SHA147905f2991810149118994cf0b5107e5433c09c7
SHA256b8667f814689ebb004f504891b00ff8c58d55651dcb43422e7e54e512ecc6b50
SHA51285bb0243a6a998580eaf6bca8400fceac0211a64263f41fb02d6afe5d2a0eb73c047e8a687b2b986a94c94ebd3fbf36f57d2678a5fe02345be5a8ac5ebc0f1b5
-
Filesize
660B
MD5ae401872750f97bf37d7286e13754352
SHA1b05a92bbe0e6f0ca20815d53877ff5449ff42298
SHA256c43e7e547ed0f2adc07d5fdf1c169039aa718dc63e63b8f557814fe93ae58fc0
SHA51283d6d87a124f86d12008182e8494dfa34c3acd0dcd12a96fc586462058d38debdb64d63b7c2974352952025ac4f640bd2de5ab75a39f0db2696a910fb4a817fb
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c