Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Resource
win10v2004-20241007-en
General
-
Target
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
-
Size
78KB
-
MD5
9a248e1ed8a6f4e616ec49615b579988
-
SHA1
fcf296baaae3d6084da8702e0d9b5ab912e74dd3
-
SHA256
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41
-
SHA512
664ad10f23deba3c07d111f29daad0155fd27bc77170c44199a5e7ccf44c6184b92f41eaf31cfdbea65b3ee2a59331ad2c82f90f4408348aed53d4d3a6740c91
-
SSDEEP
1536:dRWV5jWXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96j9/w81GNL:dRWV5jeSyRxvhTzXPvCbW2UM9/eL
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1976 tmpC6D8.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC6D8.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC6D8.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe Token: SeDebugPrivilege 1976 tmpC6D8.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2600 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 30 PID 2064 wrote to memory of 2600 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 30 PID 2064 wrote to memory of 2600 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 30 PID 2064 wrote to memory of 2600 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 30 PID 2600 wrote to memory of 2448 2600 vbc.exe 32 PID 2600 wrote to memory of 2448 2600 vbc.exe 32 PID 2600 wrote to memory of 2448 2600 vbc.exe 32 PID 2600 wrote to memory of 2448 2600 vbc.exe 32 PID 2064 wrote to memory of 1976 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 33 PID 2064 wrote to memory of 1976 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 33 PID 2064 wrote to memory of 1976 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 33 PID 2064 wrote to memory of 1976 2064 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe"C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqtmwe1v.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA22.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC6D8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC6D8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52f123be6d6fae8b71466f89ef1ce46f5
SHA134ffddd77583fc6f7aa85aeddf47028873f77a08
SHA25663beca531cdcd245c3078ae6f388a01980d261a80e7578772dee35671fe7e2d3
SHA512a1c78117b8545ace71166ca1a2daf4712f1f95f4a0cea465dc74b1b122d3df33a96876314daf779fc52e7b6a08de320bb45728e16c24f105bdbb27aa94ff6936
-
Filesize
14KB
MD58b22ada322efceaddb5c70dceb779929
SHA183e690e0d863fe31bf849076bc4469b5d9d87159
SHA256debee28c873eddea619e640b31bf44394bf2922ccfe77a051a9a720177ca896e
SHA51260ecd5169e3724b7f10089e117c33627951194bd3335b2772fe2586b95e482a11ad2b9ed768a772bc4a5de40f90e161adbe028dd8d37d65ebe157c359ea3f811
-
Filesize
266B
MD54a8388a32fbe9df874259c4b727758d0
SHA121742f96175a89ec48e24b1e71b6eae375f2441d
SHA256de34ec1183574288c3581379b70165af24f6687d7c666dc82ec977ef97edcff8
SHA5122dfaca6e81586a9331833d4f876856bb014ff535c0fe333ff1348de1bf6b5ddb30ddbf411f1932d429eaf4698c541dda0c6597fc5d49228834fb702ab09221f1
-
Filesize
78KB
MD53d31ff2c77fc81f0427eb749ec4a1650
SHA142e7b7a669e6d9cbe2fac6f73f424d5aaf403e2d
SHA2564c19a3a06b7895f79f700afe69932f762b96306db43c4ccf4507c92f167ebc3f
SHA512c427e5d06de9ecab26cdafe023a854ec45598aefedbdcc244b1b660762fbb6fc21dc391a4d7b8222102a954cca65f2200cab8a3026609c9b36260f5df9285f17
-
Filesize
660B
MD595790abccda0f0df4f0af9950a0960b9
SHA10a8bdedbc31e901ee0c0c743ad17accd364cc89a
SHA256a4b6715349a9a317119c227d63f1913664e82801d08e0862e20196f15f8a2b63
SHA51257b5f4d1b5b9e27b032c2e020aca88431547358f619782ddfc9f5c861963ab68461776f9da75344d00c730745d15f6c360d58b76e735eaf65bd8868df112d843
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c