Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
Resource
win10v2004-20241007-en
General
-
Target
8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
-
Size
78KB
-
MD5
12d6e4ff4033556686cdccaf7af4478f
-
SHA1
c2f3f06052a6389f9ff79797e2b6d19d42c27cb9
-
SHA256
8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2
-
SHA512
97c39fbd3fecef75050dbfe517a902a4e329e2cd0190924b73a1634847e50de7ae1af88af7e34624dbf9b1ff6d8b0a66eee401583517e003542ec42197e34593
-
SSDEEP
1536:mPWV5jAXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6i9/Bj1nZ:mPWV5j4SyRxvY3md+dWWZyh9/9
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe -
Deletes itself 1 IoCs
pid Process 3936 tmpAE9F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3936 tmpAE9F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpAE9F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAE9F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe Token: SeDebugPrivilege 3936 tmpAE9F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3340 wrote to memory of 1228 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe 83 PID 3340 wrote to memory of 1228 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe 83 PID 3340 wrote to memory of 1228 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe 83 PID 1228 wrote to memory of 4564 1228 vbc.exe 85 PID 1228 wrote to memory of 4564 1228 vbc.exe 85 PID 1228 wrote to memory of 4564 1228 vbc.exe 85 PID 3340 wrote to memory of 3936 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe 86 PID 3340 wrote to memory of 3936 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe 86 PID 3340 wrote to memory of 3936 3340 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe"C:\Users\Admin\AppData\Local\Temp\8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v7nlg3ll.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E93176355F74772BBD5C0ADA826B6AF.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4564
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58aebc193ff5568ef599b05ec0c6da595
SHA1c7948da9545dc4319f36af5c49f1040bd0d4c208
SHA256ed57948d0e8c0ff946e80bb5fa54f47f6e1145a6c5854bf1b44a657f04dd11bd
SHA512008882a1d777d7d130f5b9c092ce77369aa047d94866db21e84625f8e7fdc37aab1fd0036cffbe77fd829f4709c0bd0b3efa031187abf9f75c17aed79b30941b
-
Filesize
78KB
MD5b8a1a737dd502226402846dff324e8c6
SHA1ebde3e008dbdaefe2695e6c91e0a1d369541ed25
SHA2562db4ba551c93c5a00a793cadccc14617e0576622e52a3f4b3ca49ce41981ff2c
SHA512ab69b445385a9f87fd4426641bfd0f430720353af3a822215168cd53020a8ef8d4d1b9ad91dbed88f714d175e7f9ca05340017256498e2d4046dd2f0c6b16f42
-
Filesize
14KB
MD5501816f91cc02511038774ad14e9fb42
SHA1dd13a4b052b9d4868c624fd95a33afe40fc624b2
SHA25674bfd07efd727d974e223f9c1daa99f6a8834b9573ea685e8e0adb3700cf44eb
SHA51297216ff5bc09d4ad89bb3edbbc6b406f56b878ec3b86a03f9a72c59710a6461f7f665298a980c8ae41a9b4566157851830df3ec5c47f00f6fa58d40378096239
-
Filesize
266B
MD59b5d34206665492b27e78ca030d1305e
SHA1423c40eb0edb5907c3b0e1b7cd2aa7be273dd6e6
SHA256028c2b7fd7e90b93847d3c60b7fbb6b9a6fc1f96a09bcabde74459dfe9a92ea6
SHA5129ba15610881b3e5b0bf8de65e34d5dbee4d4a0ac89096246bc123389462959a350ca3143e1380a9c46887af6fc14a321bcacac76f49974e9ac14d4239f015da1
-
Filesize
660B
MD50ae695f7599039d6471632a8cdcb5a2e
SHA11825db7eb937804e51ed9c0ee6d71975b4567788
SHA256d913f9b19333d105d531ee797e835e53334f3974147f5a4fefc410cf48356722
SHA51291460e46b03a6baaff5197eddfdac23bf2ba81518e095f2ce0710d48f81b7b27d08b972fbff5fbc03082f591a2d27539fd3b507717095e7fae8460c2e92b502a
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107