Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 10:46
Static task
static1
Behavioral task
behavioral1
Sample
a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
Resource
win10v2004-20241007-en
General
-
Target
a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
-
Size
78KB
-
MD5
7ee472bfd0e44c494ea26d3f028a578e
-
SHA1
85c00e765a09c3f0fcbbb143d808fc3234b7ad59
-
SHA256
a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c
-
SHA512
397db579c4a9013b76af8ff8f2cb98f382cdafcdf2f9f508d9127bd7d889072db435ad9feaee1ee7ad8bd6fea05b1c3a8e7d02d6a99b8945adb5d4d820aff348
-
SSDEEP
1536:DCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRj9/q1gQy:DCHF8h/l0Y9MDYrm7Rj9/ay
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 784 tmpCD9B.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpCD9B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCD9B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe Token: SeDebugPrivilege 784 tmpCD9B.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2100 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 31 PID 2232 wrote to memory of 2100 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 31 PID 2232 wrote to memory of 2100 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 31 PID 2232 wrote to memory of 2100 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 31 PID 2100 wrote to memory of 2276 2100 vbc.exe 33 PID 2100 wrote to memory of 2276 2100 vbc.exe 33 PID 2100 wrote to memory of 2276 2100 vbc.exe 33 PID 2100 wrote to memory of 2276 2100 vbc.exe 33 PID 2232 wrote to memory of 784 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 34 PID 2232 wrote to memory of 784 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 34 PID 2232 wrote to memory of 784 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 34 PID 2232 wrote to memory of 784 2232 a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe"C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\no0bdejn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE57.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2276
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df795e5ac56a095c8ca9a71b664081ef
SHA134acbef0b0d1bedc321f81813a7f3e88782b37f4
SHA256d004933379f0f8be0eca8b867e548ade7fa48c9b6e6e5d6f9aa8376dd17ce5e7
SHA5125bcd48e70c2fa607fad70cb215fc715963af9d4f0de9ce50ab3fe57f7036e565ec11b4fe90e7a7580640dc7dfee36ec1a0829c5b2ecb5bd9ca0027cc4a7af2d7
-
Filesize
15KB
MD5178061fd6160f91ac312cf20c222d5dc
SHA1e91d4c03a0b1ad47a4a698d6a8b5fe8d6e90106f
SHA25609a0cca010e7a769362deafac71de4559fa2806abef8ce8c659588c6000ff849
SHA512c968b83e6882c19d49f6973333699365ae2a97d2062c190020f2137daecaef8fcaae2fabecb0132a769d8b747a886e042e22d1845c904562f060375ff947e6e4
-
Filesize
266B
MD50a13d1a28b9379913af343823dd22e8d
SHA165e256aa388713d137dff8e709f7a5eba76473f5
SHA25607b613b7981fb5bef3c8c59e6e66b642c41d4d04462f85e2a8b783570fa2d684
SHA5123bec535c0a02e1cc002aca3cbba7f32bbc61c8fa562e15f04ad271b97defee9d3ebe06840170c7541e39e2961e26d98fe137037183135d7bf28599c529f29dab
-
Filesize
78KB
MD5fb3a85929cdac6bc0e1249cc8de35020
SHA1f70d4f6c0b935056f9823367cf091bb14e6b27c9
SHA256bb84af1275cbde28f6b762af0167856c895eaf1434f767512cbd5b41637b5ef0
SHA512527f7c2235f358ebc217440e16a1c7b61d5b5f9b8feaef344cba9dca82d6b12423cf99e800fd518615460b2633132c61bdce985730a48996ab5f2b75c1c46bd6
-
Filesize
660B
MD546b057b5c02bddcd30ef07ee98e203ca
SHA1d95d29e85bf715b1538e7e92096c74875c1260b0
SHA2562cc7a1c45e72d4469601a7d1a2d8b54806e1b29e611319d026a9b8ac325d022b
SHA51249f59d46945472c6ae36551010ab72737ceedde154cca820d2212b799c676a1d8974be29dceedf90fefe6a6e372a5ced35396096eca460750e45872b0a82a385
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d