Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 06:59

General

  • Target

    15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe

  • Size

    78KB

  • MD5

    71f4db3c74f290a49e0008139fe2d4f2

  • SHA1

    d137a3640e393da795b36219c630c25250ebb2de

  • SHA256

    15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d

  • SHA512

    9265edbd371ecc74a2c496e38bcb1759e5321fdfc6bbdc964b65d9fae03e4997951a370e191ecc9cbd6a43159c9d4251d52c410a68a53b054537ead953729d61

  • SSDEEP

    1536:auHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte89/5V1LEw:auHY53Ln7N041Qqhge89/5Iw

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
    "C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\orotccwn.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB49F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2252
    • C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB4A0.tmp

    Filesize

    1KB

    MD5

    3241d457eb2ef91be71c92e44874a8dd

    SHA1

    9da47f9339df36c8f5942486d85639a4857d0cbd

    SHA256

    46aed2a27d354d856a2385588eafe569521eebbaeebd49a3dc05df4410ea9471

    SHA512

    c2e27663711a4a0d2b35ac41de52385f1dec01d95475f11e459a177a6bc375289dce25d2dfa0e4da997b621cefaa659fa25a7a36638fe2a480e9491faa101b1d

  • C:\Users\Admin\AppData\Local\Temp\orotccwn.0.vb

    Filesize

    15KB

    MD5

    5c2298c7afe0123f7b29206a6df19eaa

    SHA1

    ef824ea6e0f70c8bf981bc34591823ec6be01bfe

    SHA256

    cc48759fbdcec14bcbe827a34d042c26980336424cc63a8ea34b90d09ec46942

    SHA512

    54e103e295fc4399dae5c425975ba33de093870231b90050f2143a1d4d0f0510684abb5c2a67e4da2b2a7b2605b4537772586c5706cc6f52d181b1c7ad9795fd

  • C:\Users\Admin\AppData\Local\Temp\orotccwn.cmdline

    Filesize

    266B

    MD5

    c60886ce7053742cc59b812fefda4b66

    SHA1

    8c84d1bcec82635d62ddc114efe631c5c0a6e88d

    SHA256

    faf7d618fb04b2d700fb4ce46c4af73d31171b8b2e20d4b73dafcebb30acc41e

    SHA512

    9f5657fbb3ec7a0558a4a6dd0ecc86be2892f79a1ea2db6be941c0a98e54f07c3a2d28eef4b043b385d9a07df7e21167272300307df9bdf8bfb50103236ced4d

  • C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe

    Filesize

    78KB

    MD5

    fa88fca413bc023960f47be7fb3419b4

    SHA1

    c5986c399fa4d69295b78bcbf4060ed7e19b11fd

    SHA256

    fc09a9ab4e17b403b0270ff61d0c2a04d7fb7e4adc2e100a7ed9d0b1fea37d8d

    SHA512

    536f57ed6c3fc433a5bd4ac403b54792af8b1cca794ffda2d9bcba8e570500e945977595c823602ad63a7cf02fe3b02752ec3cb478f49d033fc2a667e07c93b7

  • C:\Users\Admin\AppData\Local\Temp\vbcB49F.tmp

    Filesize

    660B

    MD5

    bca910f77c6625c4ebd154dc6060a4b5

    SHA1

    7ba8e3738612a572a5687bc8b013bc38bc214d33

    SHA256

    503d212b369c45b662d088934db3253da408d0c9224c4da094f23cd7d35c55bd

    SHA512

    8de3f537501a120e3b52276198ff70efd0feed2eecbba4fd89af7f289ab3c88bee112742fcccfd670c298b92710d4d7b16aebb59c1852e36b2ebca637387816d

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/592-0-0x00000000741F1000-0x00000000741F2000-memory.dmp

    Filesize

    4KB

  • memory/592-1-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

  • memory/592-2-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

  • memory/592-24-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

  • memory/2060-8-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

  • memory/2060-18-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB