Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 15:16

General

  • Target

    2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe

  • Size

    78KB

  • MD5

    9a248e1ed8a6f4e616ec49615b579988

  • SHA1

    fcf296baaae3d6084da8702e0d9b5ab912e74dd3

  • SHA256

    2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41

  • SHA512

    664ad10f23deba3c07d111f29daad0155fd27bc77170c44199a5e7ccf44c6184b92f41eaf31cfdbea65b3ee2a59331ad2c82f90f4408348aed53d4d3a6740c91

  • SSDEEP

    1536:dRWV5jWXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96j9/w81GNL:dRWV5jeSyRxvhTzXPvCbW2UM9/eL

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
    "C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqtmwe1v.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA22.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2448
    • C:\Users\Admin\AppData\Local\Temp\tmpC6D8.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC6D8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp

    Filesize

    1KB

    MD5

    2f123be6d6fae8b71466f89ef1ce46f5

    SHA1

    34ffddd77583fc6f7aa85aeddf47028873f77a08

    SHA256

    63beca531cdcd245c3078ae6f388a01980d261a80e7578772dee35671fe7e2d3

    SHA512

    a1c78117b8545ace71166ca1a2daf4712f1f95f4a0cea465dc74b1b122d3df33a96876314daf779fc52e7b6a08de320bb45728e16c24f105bdbb27aa94ff6936

  • C:\Users\Admin\AppData\Local\Temp\lqtmwe1v.0.vb

    Filesize

    14KB

    MD5

    8b22ada322efceaddb5c70dceb779929

    SHA1

    83e690e0d863fe31bf849076bc4469b5d9d87159

    SHA256

    debee28c873eddea619e640b31bf44394bf2922ccfe77a051a9a720177ca896e

    SHA512

    60ecd5169e3724b7f10089e117c33627951194bd3335b2772fe2586b95e482a11ad2b9ed768a772bc4a5de40f90e161adbe028dd8d37d65ebe157c359ea3f811

  • C:\Users\Admin\AppData\Local\Temp\lqtmwe1v.cmdline

    Filesize

    266B

    MD5

    4a8388a32fbe9df874259c4b727758d0

    SHA1

    21742f96175a89ec48e24b1e71b6eae375f2441d

    SHA256

    de34ec1183574288c3581379b70165af24f6687d7c666dc82ec977ef97edcff8

    SHA512

    2dfaca6e81586a9331833d4f876856bb014ff535c0fe333ff1348de1bf6b5ddb30ddbf411f1932d429eaf4698c541dda0c6597fc5d49228834fb702ab09221f1

  • C:\Users\Admin\AppData\Local\Temp\tmpC6D8.tmp.exe

    Filesize

    78KB

    MD5

    3d31ff2c77fc81f0427eb749ec4a1650

    SHA1

    42e7b7a669e6d9cbe2fac6f73f424d5aaf403e2d

    SHA256

    4c19a3a06b7895f79f700afe69932f762b96306db43c4ccf4507c92f167ebc3f

    SHA512

    c427e5d06de9ecab26cdafe023a854ec45598aefedbdcc244b1b660762fbb6fc21dc391a4d7b8222102a954cca65f2200cab8a3026609c9b36260f5df9285f17

  • C:\Users\Admin\AppData\Local\Temp\vbcCA22.tmp

    Filesize

    660B

    MD5

    95790abccda0f0df4f0af9950a0960b9

    SHA1

    0a8bdedbc31e901ee0c0c743ad17accd364cc89a

    SHA256

    a4b6715349a9a317119c227d63f1913664e82801d08e0862e20196f15f8a2b63

    SHA512

    57b5f4d1b5b9e27b032c2e020aca88431547358f619782ddfc9f5c861963ab68461776f9da75344d00c730745d15f6c360d58b76e735eaf65bd8868df112d843

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2064-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

    Filesize

    4KB

  • memory/2064-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2064-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2064-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2600-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2600-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

    Filesize

    5.7MB