Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Resource
win10v2004-20241007-en
General
-
Target
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
-
Size
78KB
-
MD5
cbc8b8f41ccac7371e1e8c987900ef98
-
SHA1
dc8319f56aa110cef5323b171cd7a800ccacf404
-
SHA256
5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d
-
SHA512
cb587c04d55a366fcf91a9b82c5852a24c734b3c88b60aca9a2ef3982fa833c4171e7fd3c24e1443bc4cc088df471d612976b5bd843fdd07ca7bff015b1ab2ed
-
SSDEEP
1536:cRWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte6S9/R1Db:cRWtHa3Ln7N041Qqhge6S9/b
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe -
Executes dropped EXE 1 IoCs
pid Process 1644 tmp6EF6.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp6EF6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6EF6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe Token: SeDebugPrivilege 1644 tmp6EF6.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4468 wrote to memory of 224 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 82 PID 4468 wrote to memory of 224 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 82 PID 4468 wrote to memory of 224 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 82 PID 224 wrote to memory of 5048 224 vbc.exe 84 PID 224 wrote to memory of 5048 224 vbc.exe 84 PID 224 wrote to memory of 5048 224 vbc.exe 84 PID 4468 wrote to memory of 1644 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 85 PID 4468 wrote to memory of 1644 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 85 PID 4468 wrote to memory of 1644 4468 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe"C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t_h6ygnf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES701F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc305BCEB395344767B2C9E429FA2C61AF.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5048
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6EF6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6EF6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d112da5f5bb0efb6eede56f221f1900c
SHA163b628525616e5aae3ca943ca8e18cd6aefd122a
SHA25608eddd3e6192f405e2ee80fa0deb5f07e6fd44ca65e87093856d47df8323a923
SHA512e7839ee36f084e7c3918b17eb82e69be76048a72d785c28659fab1c959e01fa9dc8da8a6c3aa1c941a7f0b92472737d4f2748a5ac0f03a01bba7390ebc6c0e2a
-
Filesize
15KB
MD5ab104280afc365ef50341810aede5a93
SHA163b97b18b79f8a4a0156194b5cdcd3854ad8436b
SHA25626691010c243e4365d9e54c06ac33098b8822f59bf0fe8933a6486ee753ee280
SHA51236b1180e80c7ae23af883339cb8991ef8b551d4400153fc89aeb195b64385ce18456bd02667396a1b592f67146126bed4a92164da090fb8a1ebc0bb786b7bfe9
-
Filesize
266B
MD51eea39afe6e52b706df7a52e3e140a9b
SHA11b9ae35c3e8dfc8ba0432c827058202776956baf
SHA25613244427a879da501ccf170db99528a311cf0f1c4c47f8d02bbe739fb4410bd8
SHA512018d51760803f31975e4e1d0a1345ab043662d39e09b0c27c85618e02ff773b522a6851301968f8ed2f6ad30a0bc3fe49fdf8d736a1bc54c60d26a14b386e5e1
-
Filesize
78KB
MD568da14b570706057c162bd4415ed5ceb
SHA142d9f703aa778cdb31b3c94a11cd6af9deb60120
SHA256c2dc2d424c175eb7bac54508360d77be11b97046a5217eac5e34275f6f38fd7c
SHA512a43e235dd6c2eeffd34be1115d4a08c7edfcc99b657b059fd0507bf2b4120c2372edec2a995cd80a5358b990443f6d0d160d0a7680e3ed1cfce751b207bbdeb1
-
Filesize
660B
MD55ce389c006b12b35ef02844d1822b6b8
SHA121f171dd1ea8a966461faf0f73803f0fd5b35429
SHA2568a27a1e4201152f7108a343bb5aeac38129e8e0fb85be568e11d25a5a56dbffc
SHA512c18dbc41f7cf65f112cb45e118ccac142232f17d33f82bcc421d56a6537195b61cade9fabfe6ed9dc60dbe9b2ec7f025a5c42bafd2a2cc6e6a060357b09d7d50
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65