Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    99s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 07:39

General

  • Target

    b3ef4701f85b953d37bb7c01d3e5d883fd48e5b42b1778c3ac154d439eefbdb7N.exe

  • Size

    78KB

  • MD5

    31142bfbf1a11d7bb0fc781e4a150f60

  • SHA1

    39802862cf1fc6fca6b3246fa54aec81ff585e62

  • SHA256

    b3ef4701f85b953d37bb7c01d3e5d883fd48e5b42b1778c3ac154d439eefbdb7

  • SHA512

    0275f5dabaeae487d7adc597717358ab3d9e56446372aa7e0f16f9cce96eb478c3616c9b70dbbf8ed330b2b377e18a0ebd8a2e664c7e377e46e3967292d0e8b1

  • SSDEEP

    1536:auHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte89/5V1LE:auHY53Ln7N041Qqhge89/5I

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3ef4701f85b953d37bb7c01d3e5d883fd48e5b42b1778c3ac154d439eefbdb7N.exe
    "C:\Users\Admin\AppData\Local\Temp\b3ef4701f85b953d37bb7c01d3e5d883fd48e5b42b1778c3ac154d439eefbdb7N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yoj6q3ua.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES388F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc388E.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3024
    • C:\Users\Admin\AppData\Local\Temp\tmp3794.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp3794.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3ef4701f85b953d37bb7c01d3e5d883fd48e5b42b1778c3ac154d439eefbdb7N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES388F.tmp

    Filesize

    1KB

    MD5

    188d8f5322ddc6746542a5fa10ab0234

    SHA1

    288ddaea2040b106c37be7a6ab8a60aaf7897b06

    SHA256

    df63d784a1316408ffff4696af4b9bab2becf3c92b0c8cf56804d200cae6f884

    SHA512

    2f914705492587f189d45902a40c02cd6dd32c5a382afa178e6b20c5b2e10f9a1571e7e6579e9ce483fe4f8a95ecc265539509bae15af47cb379971dd30cd907

  • C:\Users\Admin\AppData\Local\Temp\tmp3794.tmp.exe

    Filesize

    78KB

    MD5

    6dcf0bc446906809eef6c99508061d47

    SHA1

    cc68e0944c444cfcc76b850d079c302e0011158b

    SHA256

    55e0d6d8f639797285408a8c2910844c5e8fab7b434df58c3084faecb9e4471b

    SHA512

    b0e1d8753db5fd13a5dfd8e2954396e536427b8eee11277bdbc4c604f1743e9d0e2f8fe6ba4ea9c4d3243b474e7f6c6d186ae69c8c9a67869c58b23be37f1624

  • C:\Users\Admin\AppData\Local\Temp\vbc388E.tmp

    Filesize

    660B

    MD5

    f72b1fa9faf598a717f0fa4a28df2fe1

    SHA1

    d96690114bebe0ab9c26a6f5d367e6fcf0a0310b

    SHA256

    42b29f2e1296266e327d5fc176385628bb5d72028aa3c13855ce356dfa95ab40

    SHA512

    0e2323b304182ba0dc21141669cfaaa4122e3ff9db66f0d07a166231c3c6cf195272f197391afb8a86d55fb3ecdb2305b7a873bc113f170643fe696b0d7c2134

  • C:\Users\Admin\AppData\Local\Temp\yoj6q3ua.0.vb

    Filesize

    15KB

    MD5

    de3c8594aa8bedbd6e83e001d87822fb

    SHA1

    7a934c14a8a74920781cf057126cfa6983271771

    SHA256

    2b4b96e5e22dddf83b966c551d4beaa2dd77ad470c1e7705acf62b19425624ce

    SHA512

    4080a2b402c49d6a18865c44eb876e36734188052b2900241659c6f9f9f1393e7f09a8a4c5b077690ba7baedd9792e8c6a55de5bef7c0f04c1af87bb37ac0045

  • C:\Users\Admin\AppData\Local\Temp\yoj6q3ua.cmdline

    Filesize

    266B

    MD5

    c3e1ee5521ba1f6c7e011be4063993d4

    SHA1

    7feacae06369e5cf9779986fee0763547f185639

    SHA256

    6d74ad4771a2fef00fdb726e26acd389afa0f719f3e0775d97fe097f91443487

    SHA512

    9c2273c2553e47d4df49a0a904d352e0bbd5c7bc35fded31275c5a8c7efe5cc8e408f212482948a889a63599f175805ebcd9651f44d09f72ab3c2a9d53e9e49f

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/1712-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

    Filesize

    4KB

  • memory/1712-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/3008-8-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/3008-18-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB