Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 22:36

General

  • Target

    5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe

  • Size

    78KB

  • MD5

    cbc8b8f41ccac7371e1e8c987900ef98

  • SHA1

    dc8319f56aa110cef5323b171cd7a800ccacf404

  • SHA256

    5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d

  • SHA512

    cb587c04d55a366fcf91a9b82c5852a24c734b3c88b60aca9a2ef3982fa833c4171e7fd3c24e1443bc4cc088df471d612976b5bd843fdd07ca7bff015b1ab2ed

  • SSDEEP

    1536:cRWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte6S9/R1Db:cRWtHa3Ln7N041Qqhge6S9/b

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
    "C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zrewpsip.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAC5.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2500
    • C:\Users\Admin\AppData\Local\Temp\tmpD9BC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD9BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESDAC6.tmp

    Filesize

    1KB

    MD5

    cb522d641ae7c3f8cb7a0af9add38c4c

    SHA1

    b81a5bd7f313b7a229969339aeb8ffdfde6e43ee

    SHA256

    8799592e1f0509fbd215c97ac08af77f8fe32db336454e2df738208ec858c4fa

    SHA512

    a5e449b536415908abcfbb975d570f342bb24b0167dbe9284c51710ba6b566dc537ed5f5802c01ce64cfb0da46ad172a721a34ec5d298bf88b1c5eee4bbe9bdd

  • C:\Users\Admin\AppData\Local\Temp\tmpD9BC.tmp.exe

    Filesize

    78KB

    MD5

    4246c7f6570ddf2bbca82943d34f45e8

    SHA1

    d7c951d1f530ca3a95d7627138fef6be7b2bff00

    SHA256

    8d79f6e264598e3031642d15cdb94658485d4efc110aee5ffd7cb27f360eb9db

    SHA512

    cca0bb92afe5daf62343d93431952f37ccef32c5eca466b868d4b3138ed29e0017f27a4b15cb9fa9d137ebe159f924b8dbce4305a0f9de351d62ba545cc662a3

  • C:\Users\Admin\AppData\Local\Temp\vbcDAC5.tmp

    Filesize

    660B

    MD5

    64debf9a55ddd6dcac386b644f305c31

    SHA1

    2307e7674a18a8e5e862280ec71c9b1c960e279d

    SHA256

    1de00bbe151a4718827f7eb73b0716dca74232551569ddb2a18c95bde25812d6

    SHA512

    9a38bdeefc57fe33f46e266ab88701e5f6f10dd49969d838efe2ca7f982b8fbe6b166a9d6df25004f4b496ecd5eed8df102cf4e0dbb6d8d6aa7236f279ea7dba

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • C:\Users\Admin\AppData\Local\Temp\zrewpsip.0.vb

    Filesize

    15KB

    MD5

    59b5d07ed161fc3d7094be3de6779652

    SHA1

    d61dff2b669a727d98ca30a06be87a3b99d9bbd5

    SHA256

    c2074ad786e18c70b1e11eaf4b8e906c3ed4a44302148ded5368e7d2ebadf746

    SHA512

    fae0cf9c2a68d92cf3476a41d3b08d8768e7b60ca9d3c58b9061795dfeaaa80f6d2016228c265cb18831a414bb384f08480ec1fe577d5dc293942295f4afd412

  • C:\Users\Admin\AppData\Local\Temp\zrewpsip.cmdline

    Filesize

    266B

    MD5

    e43ac3e755552adccaa239c6fc72a5af

    SHA1

    722377d04a9da7c887b738ceb45d2dcadf1495b7

    SHA256

    a07661e2dd1651ed6b3f7a455f5c9b8e567557f97104d98fb74e9625a4abc5ad

    SHA512

    be76a9b4bb1b909ec2de8f325521a6a76485953aaed313ec299fc113233fd9e1331b584e495226a0b312a4c2abff33d1cc8e478f939b4c085b9b07ea47dace9f

  • memory/2464-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

    Filesize

    4KB

  • memory/2464-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2464-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2464-24-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-8-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

    Filesize

    5.7MB