Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Resource
win10v2004-20241007-en
General
-
Target
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
-
Size
78KB
-
MD5
cbc8b8f41ccac7371e1e8c987900ef98
-
SHA1
dc8319f56aa110cef5323b171cd7a800ccacf404
-
SHA256
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d
-
SHA512
cb587c04d55a366fcf91a9b82c5852a24c734b3c88b60aca9a2ef3982fa833c4171e7fd3c24e1443bc4cc088df471d612976b5bd843fdd07ca7bff015b1ab2ed
-
SSDEEP
1536:cRWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte6S9/R1Db:cRWtHa3Ln7N041Qqhge6S9/b
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Deletes itself 1 IoCs
pid Process 2272 tmpD9BC.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 tmpD9BC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpD9BC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD9BC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe Token: SeDebugPrivilege 2272 tmpD9BC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2472 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 31 PID 2464 wrote to memory of 2472 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 31 PID 2464 wrote to memory of 2472 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 31 PID 2464 wrote to memory of 2472 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 31 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2472 wrote to memory of 2500 2472 vbc.exe 33 PID 2464 wrote to memory of 2272 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 34 PID 2464 wrote to memory of 2272 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 34 PID 2464 wrote to memory of 2272 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 34 PID 2464 wrote to memory of 2272 2464 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe"C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zrewpsip.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAC5.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD9BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD9BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cb522d641ae7c3f8cb7a0af9add38c4c
SHA1b81a5bd7f313b7a229969339aeb8ffdfde6e43ee
SHA2568799592e1f0509fbd215c97ac08af77f8fe32db336454e2df738208ec858c4fa
SHA512a5e449b536415908abcfbb975d570f342bb24b0167dbe9284c51710ba6b566dc537ed5f5802c01ce64cfb0da46ad172a721a34ec5d298bf88b1c5eee4bbe9bdd
-
Filesize
78KB
MD54246c7f6570ddf2bbca82943d34f45e8
SHA1d7c951d1f530ca3a95d7627138fef6be7b2bff00
SHA2568d79f6e264598e3031642d15cdb94658485d4efc110aee5ffd7cb27f360eb9db
SHA512cca0bb92afe5daf62343d93431952f37ccef32c5eca466b868d4b3138ed29e0017f27a4b15cb9fa9d137ebe159f924b8dbce4305a0f9de351d62ba545cc662a3
-
Filesize
660B
MD564debf9a55ddd6dcac386b644f305c31
SHA12307e7674a18a8e5e862280ec71c9b1c960e279d
SHA2561de00bbe151a4718827f7eb73b0716dca74232551569ddb2a18c95bde25812d6
SHA5129a38bdeefc57fe33f46e266ab88701e5f6f10dd49969d838efe2ca7f982b8fbe6b166a9d6df25004f4b496ecd5eed8df102cf4e0dbb6d8d6aa7236f279ea7dba
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
Filesize
15KB
MD559b5d07ed161fc3d7094be3de6779652
SHA1d61dff2b669a727d98ca30a06be87a3b99d9bbd5
SHA256c2074ad786e18c70b1e11eaf4b8e906c3ed4a44302148ded5368e7d2ebadf746
SHA512fae0cf9c2a68d92cf3476a41d3b08d8768e7b60ca9d3c58b9061795dfeaaa80f6d2016228c265cb18831a414bb384f08480ec1fe577d5dc293942295f4afd412
-
Filesize
266B
MD5e43ac3e755552adccaa239c6fc72a5af
SHA1722377d04a9da7c887b738ceb45d2dcadf1495b7
SHA256a07661e2dd1651ed6b3f7a455f5c9b8e567557f97104d98fb74e9625a4abc5ad
SHA512be76a9b4bb1b909ec2de8f325521a6a76485953aaed313ec299fc113233fd9e1331b584e495226a0b312a4c2abff33d1cc8e478f939b4c085b9b07ea47dace9f