Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Resource
win10v2004-20241007-en
General
-
Target
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
-
Size
78KB
-
MD5
9a248e1ed8a6f4e616ec49615b579988
-
SHA1
fcf296baaae3d6084da8702e0d9b5ab912e74dd3
-
SHA256
2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41
-
SHA512
664ad10f23deba3c07d111f29daad0155fd27bc77170c44199a5e7ccf44c6184b92f41eaf31cfdbea65b3ee2a59331ad2c82f90f4408348aed53d4d3a6740c91
-
SSDEEP
1536:dRWV5jWXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96j9/w81GNL:dRWV5jeSyRxvhTzXPvCbW2UM9/eL
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe -
Deletes itself 1 IoCs
pid Process 3508 tmp78F9.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3508 tmp78F9.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp78F9.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp78F9.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe Token: SeDebugPrivilege 3508 tmp78F9.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1028 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 82 PID 2548 wrote to memory of 1028 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 82 PID 2548 wrote to memory of 1028 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 82 PID 1028 wrote to memory of 2336 1028 vbc.exe 84 PID 1028 wrote to memory of 2336 1028 vbc.exe 84 PID 1028 wrote to memory of 2336 1028 vbc.exe 84 PID 2548 wrote to memory of 3508 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 85 PID 2548 wrote to memory of 3508 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 85 PID 2548 wrote to memory of 3508 2548 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe"C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmqiblhk.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6563718261F945E29E5FD95FF5B1DBF6.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD515affaf14ff166685f17d50208dd5e72
SHA1353950b3fa0e04f1a922f9b53d2fd0a37f394c67
SHA2569c1ec541994d0e9f8490896d7206e2d555a8739dbc06b4b7b802e35dfc8827e2
SHA512924193196fba6ad59f02c6d01367aa039dbc0b6d6c1b5516dd55ae0eae25a308bf52cc1178c2b7a32c4ef1b1942b4b1761edfea8493161279767ee4973475745
-
Filesize
14KB
MD50668102ed0c2dd16fd7c5f3a92cce376
SHA1759b157c38c37981ce518b9e0067b6e10b36c557
SHA256990b323423ce649e01676867ebc8c42db95cecdd360c7acd318e4245dff18b08
SHA512d11520e733421361c08ea45c3c9c89d7ab1bfce2e5aa7058e29e3e154b7b2073e5d9de2c6b8b53647679307492a3b3d404a8e16020a0990fa392c00c6f3c2fca
-
Filesize
266B
MD56b48f249fa466be9ac83584d725f7f78
SHA1e682de49821b17b19736dae1047275900d503918
SHA256e6ad2257aa6a92ec1416ae971bc13cdee6a75ea81ab43b1fb556ea61c4e125b2
SHA512993fc45ea31944e2604e6f84ca81f7aa1b55b67fd51aea053c463d592a1c258dde74dacf1088e933e54c5205222d73f153b157168797729ac4aef3c79bdf36f2
-
Filesize
78KB
MD5a9ac8bf17727087436a959cb8ed73c45
SHA1a0c810ff2412d4fa082baeab15fef9c0ef27d409
SHA256b4da84813db145d78c67ed01bb523437aeb999970300a1f6f59e7cc9712fa45e
SHA512a6f060cdd0c19bdc3022c49a5754e20a0b9b547fb14a51f4964bf70baa77f4a3cc033d4791f525011e502a23e7bc09806eb2b94b47dcc6d22889f75f548c0603
-
Filesize
660B
MD5628e0dec4f1672d006228ce215577a39
SHA1d38c23bc36d7af23228d93347e5cb8bd522aa77f
SHA256f293a6579094bfa8c596db31d40a9d70f29f345ebb388e8311ca2901ef77efc5
SHA51293511bce3d8fa6d62420ad17eb26202beed60a01233dc32e41c0d13fd358a107e541564c74cd1edbc0cb9a793529171ca37878c3fef885018c523f9f5db0d465
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c