Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 03:14 UTC

General

  • Target

    bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe

  • Size

    78KB

  • MD5

    3bca59494733119c7da105bcf6926a90

  • SHA1

    144dba8062069502fe3700802f752a4a7a4cd28e

  • SHA256

    bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0

  • SHA512

    5e7a454a7619a176bc7f08e952053270af392db32d36225c136a5a960c31d9c22f9919495daa607323fba1825e71e407c01dd08b08d9a528616cf48d89a44418

  • SSDEEP

    1536:fCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQti9/N1Ag:fCHF8hASyRxvhTzXPvCbW2Ui9/F

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akasju0_.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCD07DB4693949B9ABB533EAE9447FB.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1868
    • C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4528

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bejnz.com
    tmpA3B2.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    bejnz.com
    IN A
    Response
    bejnz.com
    IN A
    44.221.84.105
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpA3B2.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 13 Jan 2025 03:14:20 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=7d3328319f1caa790f2403157ecb460c|181.215.176.83|1736738060|1736738060|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    rwkeith.no-ip.org
    tmpA3B2.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    rwkeith.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    105.84.221.44.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.84.221.44.in-addr.arpa
    IN PTR
    Response
    105.84.221.44.in-addr.arpa
    IN PTR
    ec2-44-221-84-105 compute-1 amazonawscom
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpA3B2.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 13 Jan 2025 03:14:22 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=f8665ca9c9d6f0d7e05f813098ee5c7a|181.215.176.83|1736738062|1736738062|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmpA3B2.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 13 Jan 2025 03:14:23 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=935db46173a1b63ebea26bed7b60ad6f|181.215.176.83|1736738063|1736738063|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    rwkeith.no-ip.org
    tmpA3B2.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    rwkeith.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rwkeith.no-ip.org
    tmpA3B2.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    rwkeith.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rwkeith.no-ip.org
    tmpA3B2.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    rwkeith.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    rwkeith.no-ip.org
    tmpA3B2.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    rwkeith.no-ip.org
    IN A
    Response
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpA3B2.tmp.exe
    295 B
    625 B
    5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpA3B2.tmp.exe
    271 B
    625 B
    5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmpA3B2.tmp.exe
    271 B
    625 B
    5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 44.221.84.105:80
    bejnz.com
    tmpA3B2.tmp.exe
    520 B
    10
  • 44.221.84.105:80
    bejnz.com
    tmpA3B2.tmp.exe
    260 B
    5
  • 44.221.84.105:80
    bejnz.com
    tmpA3B2.tmp.exe
    260 B
    5
  • 44.221.84.105:80
    bejnz.com
    tmpA3B2.tmp.exe
    260 B
    5
  • 44.221.84.105:80
    bejnz.com
    tmpA3B2.tmp.exe
    52 B
    1
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    bejnz.com
    dns
    tmpA3B2.tmp.exe
    55 B
    71 B
    1
    1

    DNS Request

    bejnz.com

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    rwkeith.no-ip.org
    dns
    tmpA3B2.tmp.exe
    63 B
    123 B
    1
    1

    DNS Request

    rwkeith.no-ip.org

  • 8.8.8.8:53
    105.84.221.44.in-addr.arpa
    dns
    72 B
    127 B
    1
    1

    DNS Request

    105.84.221.44.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    rwkeith.no-ip.org
    dns
    tmpA3B2.tmp.exe
    63 B
    123 B
    1
    1

    DNS Request

    rwkeith.no-ip.org

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    rwkeith.no-ip.org
    dns
    tmpA3B2.tmp.exe
    63 B
    123 B
    1
    1

    DNS Request

    rwkeith.no-ip.org

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    rwkeith.no-ip.org
    dns
    tmpA3B2.tmp.exe
    63 B
    123 B
    1
    1

    DNS Request

    rwkeith.no-ip.org

  • 8.8.8.8:53
    rwkeith.no-ip.org
    dns
    tmpA3B2.tmp.exe
    63 B
    123 B
    1
    1

    DNS Request

    rwkeith.no-ip.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp

    Filesize

    1KB

    MD5

    dbaeca339384cbe1744952a881ed44ec

    SHA1

    55d793a190f3720c43a6f63029718ccf467d6219

    SHA256

    31264e74c122465b63c7cd70bf4e1c0765728429888088914f3785e8dca1f6bc

    SHA512

    bf4003d6c28645ec1264ca544c1e45358c53e79d4f4c95d3d3af66564e43930baf033302b7b9db35d5c731d71a90e1e17a938f47c9d64016368909ae6f308111

  • C:\Users\Admin\AppData\Local\Temp\akasju0_.0.vb

    Filesize

    15KB

    MD5

    15d39b428c89f5de203e999a769db9c1

    SHA1

    78c34767669220e887a909a2f03535ab0ee8189c

    SHA256

    6ed9f9485ac75a4129665fb480599b6e993616f4852dde204cb6c675064a7dda

    SHA512

    34f1a41d060ccef64cbe379cb9033ce3bd71e34d35e4bf0bd5d798b32a3844819326ffb2e76f7dc7c70070c9330b0418ec69a3e6d1703aa60c0571361d4fda6f

  • C:\Users\Admin\AppData\Local\Temp\akasju0_.cmdline

    Filesize

    266B

    MD5

    3506f880bf546bdbd71e31e118e21545

    SHA1

    17b334c6cd91ef2cb5ee037d52de92cd5084f340

    SHA256

    d394b108187c4f2cee807e218b642f5222a6ebf4c5c48657a76a1b72bac61564

    SHA512

    11e2f516783c71ee7dd79e8bd83a59b41d86a35eb45202e9cfe979e42984a277591d1327988e37debc93850ce6c4e13173828e6a0ca88e50aefa50e10d51b583

  • C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe

    Filesize

    78KB

    MD5

    c800ff3d07e4286e9243c4995d858e54

    SHA1

    47905f2991810149118994cf0b5107e5433c09c7

    SHA256

    b8667f814689ebb004f504891b00ff8c58d55651dcb43422e7e54e512ecc6b50

    SHA512

    85bb0243a6a998580eaf6bca8400fceac0211a64263f41fb02d6afe5d2a0eb73c047e8a687b2b986a94c94ebd3fbf36f57d2678a5fe02345be5a8ac5ebc0f1b5

  • C:\Users\Admin\AppData\Local\Temp\vbcCCD07DB4693949B9ABB533EAE9447FB.TMP

    Filesize

    660B

    MD5

    ae401872750f97bf37d7286e13754352

    SHA1

    b05a92bbe0e6f0ca20815d53877ff5449ff42298

    SHA256

    c43e7e547ed0f2adc07d5fdf1c169039aa718dc63e63b8f557814fe93ae58fc0

    SHA512

    83d6d87a124f86d12008182e8494dfa34c3acd0dcd12a96fc586462058d38debdb64d63b7c2974352952025ac4f640bd2de5ab75a39f0db2696a910fb4a817fb

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1312-1-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/1312-2-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/1312-0-0x00000000753B2000-0x00000000753B3000-memory.dmp

    Filesize

    4KB

  • memory/1312-22-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/3584-8-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/3584-18-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/4528-23-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/4528-24-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/4528-26-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/4528-27-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

  • memory/4528-28-0x00000000753B0000-0x0000000075961000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.