Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
Resource
win10v2004-20241007-en
General
-
Target
975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
-
Size
78KB
-
MD5
f1eecaef677c048818600768038fe196
-
SHA1
885202b3391134c6c3032b962c42548245e76ec7
-
SHA256
975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e
-
SHA512
8a752562cc4b2e34aa727ec4726d408405f7042771972647f2e20931a88983d9312bec91622c3836a58f9d6c6853cf676e370e3cdd814fef850b403c7a0a33e1
-
SSDEEP
1536:lRCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRJ9/N1pU3C:lRCHFq3Ln7N041QqhgRJ9/JqC
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe -
Executes dropped EXE 1 IoCs
pid Process 1536 tmp9F0F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp9F0F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9F0F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe Token: SeDebugPrivilege 1536 tmp9F0F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3304 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe 83 PID 2372 wrote to memory of 3304 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe 83 PID 2372 wrote to memory of 3304 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe 83 PID 3304 wrote to memory of 2132 3304 vbc.exe 85 PID 3304 wrote to memory of 2132 3304 vbc.exe 85 PID 3304 wrote to memory of 2132 3304 vbc.exe 85 PID 2372 wrote to memory of 1536 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe 86 PID 2372 wrote to memory of 1536 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe 86 PID 2372 wrote to memory of 1536 2372 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe"C:\Users\Admin\AppData\Local\Temp\975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gfjw80sv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA018.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37745B44B44047E0A1485B9043AF64D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59c31a5f2bf025f7b26656de283496cb5
SHA17f4e83ec880db644e0e664e3dcccf65b99360b6c
SHA2564472c1de81da28bfc4679c721b10d0d4d38c1714d411b1fe2658998e2d333183
SHA51239f63fc6ce0190dedb5c922ef242cf4d3bdea50fee6b16f740c0a0d861a1e663cede591fc2f2916a4a6dc5f017bd1055a48eeeb22fe34d0d63c44d8e75cbff6e
-
Filesize
15KB
MD53ec940d4249422e8e9fbe378952c1980
SHA1b5b0c85d7b4bdf27136504b36f4ad779ae0a1bdb
SHA256f21364a80f502ee7fb1574bba2febfdb0b97832999eabed46ac3ee1cff6d2c63
SHA5121d3f576a048d4e44cfe4536e61e038d13d6bc8041ac1a8b043c2f73a79f3d0a1600cef967be943daeca3dd1b0555ebac28997e2efaa9e4669e1cf16b953a6c42
-
Filesize
266B
MD5620c0619481426839a2ea4b78c941080
SHA121c4c2da602aada9349c943c2b3071dcabfd84a0
SHA256b18f9a7ae6f6cbe8cb9a9cdfb25843750de8ab7c4ba8ac6e17103c06e02826ba
SHA512f0d2e85c579e4aa7b901c8cca6f11860acdbabed9774a3731d776aaaf6c37d5bd04ddd46440deedd9d321212bb02cc4c66e51543f337d81f76757b3521ce76d7
-
Filesize
78KB
MD579522fa84f0f5401286738c534f12575
SHA1af331dd80c2f49fad69b2aae58fc2ee1e401a57d
SHA25616b4d82d7bef110486a0361f762dd206f12a419eb756801720c82c089dea512e
SHA512235fb1ef10a354ed36dfc3854234eda61d14658587a0d58844a933ebbd976f069fa70d856b0c5fcc8d6f170d7534ae7d593653a0b6b62fcdfc653b8d4a88e261
-
Filesize
660B
MD55fff5ba8995cdb41b42204791b5f7878
SHA1c1e7586a35804b0614366bf230712e6d28858ebe
SHA256167b46c542f13d89b83563703876c331ccbdd6a44e8b16f87f94bbe239df3220
SHA5125c3ded175cf7db390c0259f33846ea2d8b89a22baa8c3d23b64ae67ef8aa4cbfff01e894d8c91071d56441e947cb222f4349e51020965240840044be14943694
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65