Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 10:46

General

  • Target

    a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe

  • Size

    78KB

  • MD5

    7ee472bfd0e44c494ea26d3f028a578e

  • SHA1

    85c00e765a09c3f0fcbbb143d808fc3234b7ad59

  • SHA256

    a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c

  • SHA512

    397db579c4a9013b76af8ff8f2cb98f382cdafcdf2f9f508d9127bd7d889072db435ad9feaee1ee7ad8bd6fea05b1c3a8e7d02d6a99b8945adb5d4d820aff348

  • SSDEEP

    1536:DCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRj9/q1gQy:DCHF8h/l0Y9MDYrm7Rj9/ay

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
    "C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\no0bdejn.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE57.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2276
    • C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESCE58.tmp

    Filesize

    1KB

    MD5

    df795e5ac56a095c8ca9a71b664081ef

    SHA1

    34acbef0b0d1bedc321f81813a7f3e88782b37f4

    SHA256

    d004933379f0f8be0eca8b867e548ade7fa48c9b6e6e5d6f9aa8376dd17ce5e7

    SHA512

    5bcd48e70c2fa607fad70cb215fc715963af9d4f0de9ce50ab3fe57f7036e565ec11b4fe90e7a7580640dc7dfee36ec1a0829c5b2ecb5bd9ca0027cc4a7af2d7

  • C:\Users\Admin\AppData\Local\Temp\no0bdejn.0.vb

    Filesize

    15KB

    MD5

    178061fd6160f91ac312cf20c222d5dc

    SHA1

    e91d4c03a0b1ad47a4a698d6a8b5fe8d6e90106f

    SHA256

    09a0cca010e7a769362deafac71de4559fa2806abef8ce8c659588c6000ff849

    SHA512

    c968b83e6882c19d49f6973333699365ae2a97d2062c190020f2137daecaef8fcaae2fabecb0132a769d8b747a886e042e22d1845c904562f060375ff947e6e4

  • C:\Users\Admin\AppData\Local\Temp\no0bdejn.cmdline

    Filesize

    266B

    MD5

    0a13d1a28b9379913af343823dd22e8d

    SHA1

    65e256aa388713d137dff8e709f7a5eba76473f5

    SHA256

    07b613b7981fb5bef3c8c59e6e66b642c41d4d04462f85e2a8b783570fa2d684

    SHA512

    3bec535c0a02e1cc002aca3cbba7f32bbc61c8fa562e15f04ad271b97defee9d3ebe06840170c7541e39e2961e26d98fe137037183135d7bf28599c529f29dab

  • C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe

    Filesize

    78KB

    MD5

    fb3a85929cdac6bc0e1249cc8de35020

    SHA1

    f70d4f6c0b935056f9823367cf091bb14e6b27c9

    SHA256

    bb84af1275cbde28f6b762af0167856c895eaf1434f767512cbd5b41637b5ef0

    SHA512

    527f7c2235f358ebc217440e16a1c7b61d5b5f9b8feaef344cba9dca82d6b12423cf99e800fd518615460b2633132c61bdce985730a48996ab5f2b75c1c46bd6

  • C:\Users\Admin\AppData\Local\Temp\vbcCE57.tmp

    Filesize

    660B

    MD5

    46b057b5c02bddcd30ef07ee98e203ca

    SHA1

    d95d29e85bf715b1538e7e92096c74875c1260b0

    SHA256

    2cc7a1c45e72d4469601a7d1a2d8b54806e1b29e611319d026a9b8ac325d022b

    SHA512

    49f59d46945472c6ae36551010ab72737ceedde154cca820d2212b799c676a1d8974be29dceedf90fefe6a6e372a5ced35396096eca460750e45872b0a82a385

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/2100-8-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2100-18-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2232-0-0x00000000748F1000-0x00000000748F2000-memory.dmp

    Filesize

    4KB

  • memory/2232-1-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2232-2-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2232-24-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB