Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
Resource
win10v2004-20250129-en
General
-
Target
c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
-
Size
78KB
-
MD5
ea191a74e1c2bbcf50687d16fb91cc12
-
SHA1
cfcb47bdd113a323289c94ea83fca8e1171a653e
-
SHA256
c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4
-
SHA512
690fcd546fc3673b51f068a58d78f4c25dc278c9a2f0278ff4944430fa8083b859f1e70e6c28e4d16ddbaff1870b0a707086268c561cb466a620b406f3a577a6
-
SSDEEP
1536:OPy5jqXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty699//+1xxb:OPy5jSSyRxvhTzXPvCbW2UV9//0b
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe -
Executes dropped EXE 1 IoCs
pid Process 1232 tmpB229.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpB229.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB229.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe Token: SeDebugPrivilege 1232 tmpB229.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4852 wrote to memory of 2516 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe 83 PID 4852 wrote to memory of 2516 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe 83 PID 4852 wrote to memory of 2516 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe 83 PID 2516 wrote to memory of 3484 2516 vbc.exe 87 PID 2516 wrote to memory of 3484 2516 vbc.exe 87 PID 2516 wrote to memory of 3484 2516 vbc.exe 87 PID 4852 wrote to memory of 1232 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe 90 PID 4852 wrote to memory of 1232 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe 90 PID 4852 wrote to memory of 1232 4852 c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe"C:\Users\Admin\AppData\Local\Temp\c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hyb5hk0r.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc539354BDAE8246AE87F1BDA4FC18456D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3484
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD593dcab37a06fdce28c625640c8ee08ae
SHA1196439eef6cf3ef8e1f9c9abfa86b862830c452f
SHA2567513fe5824e4889bf950d199b1c463447c2b29b908504dd3abb6eaac9b4ab98f
SHA512ce6a738290a5bb1fda11ec850e99a6bf167d681275ceb9231a1eaf54f813e0744f2e0e2dc076128cbcfae3ee28f5ea722e42bb027f8487d47cb97ca84f4d7804
-
Filesize
14KB
MD5a81ae0467ca7512a8a68a244208eba1a
SHA1d3c629fa410d0b67cacc1a8f7294b2a2b04bf6e1
SHA2567bd7b918754193520ccf54489ef395187be993e45c2b29c2bacba00e124380bd
SHA512f18a6250939a7236f82105c3fe65df2cc68f8b18aa997c902ad16772331a545455d4c6fa4bdd767aa5c10d59c863ea4825ac264f0967202d586739d2f4d1f791
-
Filesize
266B
MD54b19a55d9d1cbeaed309dfc87bdbb826
SHA1995f34b40949006cdbe4658d6d688661bc6e2d9b
SHA25609090242d4df8d831ee4eb2cc49d10cb87f563fc84a7a47cadcbc0fbcd6b2cee
SHA512c8c8b943b6e2a5084a151c076400aab27b6ad5e2b20a7643adbf8ca73c0881bc26a57c8549d2ef1e1d1b7bb09ce8599253b5ab5a12ed28816ed7ffe44fe59e4a
-
Filesize
78KB
MD593f98cd0627ebd516307f4922146cd53
SHA15ba6a0e1e26464a921d0e7979e2e0b8c9dd5cc76
SHA25689069ee198df0fb39629f53e669e2e17ab81f1198c57290965ec894c434d1eaa
SHA512cbdcd146447a94fda9997faa24161d375cc41e0c62d277ca1b78e4808cbf3a35d7727851b5495ae4a982d32e4d51c09e32a5b9a5985788ac86a4cedce7b512e2
-
Filesize
660B
MD5323bc8c8d1a1b5d33728f9f01db6ab34
SHA19e58ceaf69d552f137e9f7dad414b402ae4fefe7
SHA25694b16f86326080303dda152a516b71c25f3548a71fd0efbc40e67299b3d04f2a
SHA512d1233fd6c688df4f8b8a63813426008c622c8e60b9acf8e89540716bedc18cfa978761451f836678ce1982711635e3e088269522b688fc0b7cda9b655c95b119
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c