Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 06:59
Static task
static1
Behavioral task
behavioral1
Sample
15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
Resource
win10v2004-20241007-en
General
-
Target
15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
-
Size
78KB
-
MD5
71f4db3c74f290a49e0008139fe2d4f2
-
SHA1
d137a3640e393da795b36219c630c25250ebb2de
-
SHA256
15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d
-
SHA512
9265edbd371ecc74a2c496e38bcb1759e5321fdfc6bbdc964b65d9fae03e4997951a370e191ecc9cbd6a43159c9d4251d52c410a68a53b054537ead953729d61
-
SSDEEP
1536:auHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte89/5V1LEw:auHY53Ln7N041Qqhge89/5Iw
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2936 tmpB396.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpB396.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB396.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe Token: SeDebugPrivilege 2936 tmpB396.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 592 wrote to memory of 2060 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 30 PID 592 wrote to memory of 2060 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 30 PID 592 wrote to memory of 2060 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 30 PID 592 wrote to memory of 2060 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 30 PID 2060 wrote to memory of 2252 2060 vbc.exe 32 PID 2060 wrote to memory of 2252 2060 vbc.exe 32 PID 2060 wrote to memory of 2252 2060 vbc.exe 32 PID 2060 wrote to memory of 2252 2060 vbc.exe 32 PID 592 wrote to memory of 2936 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 33 PID 592 wrote to memory of 2936 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 33 PID 592 wrote to memory of 2936 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 33 PID 592 wrote to memory of 2936 592 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe"C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\orotccwn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB49F.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53241d457eb2ef91be71c92e44874a8dd
SHA19da47f9339df36c8f5942486d85639a4857d0cbd
SHA25646aed2a27d354d856a2385588eafe569521eebbaeebd49a3dc05df4410ea9471
SHA512c2e27663711a4a0d2b35ac41de52385f1dec01d95475f11e459a177a6bc375289dce25d2dfa0e4da997b621cefaa659fa25a7a36638fe2a480e9491faa101b1d
-
Filesize
15KB
MD55c2298c7afe0123f7b29206a6df19eaa
SHA1ef824ea6e0f70c8bf981bc34591823ec6be01bfe
SHA256cc48759fbdcec14bcbe827a34d042c26980336424cc63a8ea34b90d09ec46942
SHA51254e103e295fc4399dae5c425975ba33de093870231b90050f2143a1d4d0f0510684abb5c2a67e4da2b2a7b2605b4537772586c5706cc6f52d181b1c7ad9795fd
-
Filesize
266B
MD5c60886ce7053742cc59b812fefda4b66
SHA18c84d1bcec82635d62ddc114efe631c5c0a6e88d
SHA256faf7d618fb04b2d700fb4ce46c4af73d31171b8b2e20d4b73dafcebb30acc41e
SHA5129f5657fbb3ec7a0558a4a6dd0ecc86be2892f79a1ea2db6be941c0a98e54f07c3a2d28eef4b043b385d9a07df7e21167272300307df9bdf8bfb50103236ced4d
-
Filesize
78KB
MD5fa88fca413bc023960f47be7fb3419b4
SHA1c5986c399fa4d69295b78bcbf4060ed7e19b11fd
SHA256fc09a9ab4e17b403b0270ff61d0c2a04d7fb7e4adc2e100a7ed9d0b1fea37d8d
SHA512536f57ed6c3fc433a5bd4ac403b54792af8b1cca794ffda2d9bcba8e570500e945977595c823602ad63a7cf02fe3b02752ec3cb478f49d033fc2a667e07c93b7
-
Filesize
660B
MD5bca910f77c6625c4ebd154dc6060a4b5
SHA17ba8e3738612a572a5687bc8b013bc38bc214d33
SHA256503d212b369c45b662d088934db3253da408d0c9224c4da094f23cd7d35c55bd
SHA5128de3f537501a120e3b52276198ff70efd0feed2eecbba4fd89af7f289ab3c88bee112742fcccfd670c298b92710d4d7b16aebb59c1852e36b2ebca637387816d
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65