Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 21:30
Static task
static1
Behavioral task
behavioral1
Sample
36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Resource
win10v2004-20250129-en
General
-
Target
36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
-
Size
78KB
-
MD5
a3eb3a25aa665925d3c1d1d63d80efac
-
SHA1
da2eebdb1492f2e8f554a208d47083d4b4856d99
-
SHA256
36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f
-
SHA512
4a059f9f552a8e003aef65feda5ff52f6268fb0623a43fe31bb5d1e330e079d8ae77458c84fbe66d682c7077f67b2933b5cc19677a6b82eac889d702f702eb74
-
SSDEEP
1536:6HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQt99/NV1M+:6HFo8dSE2EwR4uY41HyvY99/h
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe -
Executes dropped EXE 1 IoCs
pid Process 4468 tmp93F3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp93F3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp93F3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe Token: SeDebugPrivilege 4468 tmp93F3.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1052 wrote to memory of 1680 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe 85 PID 1052 wrote to memory of 1680 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe 85 PID 1052 wrote to memory of 1680 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe 85 PID 1680 wrote to memory of 2792 1680 vbc.exe 88 PID 1680 wrote to memory of 2792 1680 vbc.exe 88 PID 1680 wrote to memory of 2792 1680 vbc.exe 88 PID 1052 wrote to memory of 4468 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe 89 PID 1052 wrote to memory of 4468 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe 89 PID 1052 wrote to memory of 4468 1052 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe"C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kuprkkyh.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES955A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF2161769861490C8A2F8A499F11C457.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp93F3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp93F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54e27da6e4a1f2c275e6550319d501602
SHA169405a897abf9f6a3f176e872fd5ab9635d5adb1
SHA256c0b8c6756810bb229fad50864a39d7edd2c8c6ae257c8b7bc8199689ae1d4b4c
SHA512c3bf362cd6187010e32307262ceefe61b4396b332e505210cc5a571d30eaa6a8c4313846116ee3fbd659339c6d77689075cf024b4f2e29023a5b791c98eba756
-
Filesize
15KB
MD5a8fe7190a61b50d777238a0ab187b8ec
SHA14018b7223c34606fb1429b4966ea33ab8e676ec6
SHA2569e31ca1cc20f147b040d55aba938e42b75166c6f87c5f430eacfbd2bee3f51d2
SHA512f137576838e3c4fb133c381303387e14247c11f9a4023b0267dd9dda2da2b1416de1530e9db441dc8f0a8ced0dadfe4b357762da5b6797e74e40f2ff7d91dcb4
-
Filesize
266B
MD5a535d2e6a2722ec52e4bbe3bfffcf65a
SHA1d36aa613dc9135b9903c590d658089ebc9f4718f
SHA256b9af854b9293f01ecc61c3e15f237126d24f54226cca532400c21f5b6dfbee77
SHA512b96c75c0e654975523f13622d8629b39cc7798c6788e823b7365691f8c796657b09a4cd3a7651fc64c766872a9dcf5ce50267c9d715e43a12ce9e846bc41bbdd
-
Filesize
78KB
MD53c731f5a84a663020be9029efe814599
SHA1ed847694c04530bc31e56c792a239c6e45645492
SHA256879cdc0ff025f087a6b1e8e36ff27211c8b93ca41d85e37a1e33156c7e2bcae4
SHA512e2e1c24b82358dad30598a92b20ef5ee7a90c8082d15d9475ebef71cf3cf6f196b80f6d1f7fd79f0130068685b110aeb807aa59ae0c176b39d899ceeac68a4e8
-
Filesize
660B
MD502933c1ade72fed91b17669f34764cfc
SHA19a3b1eac2fda5efdae4a7bc8b438f14993f158c8
SHA256eabb0d0287c3fed5a813a31ddb810e2c8d1d68b7cc8736c4811c21f040fafc05
SHA512bd02c0c051873ea180173977ccb387aa353f01f714528d68fcfb3e253559bf4976dcf960349485ddf01f04bd019e37f38af43855d7e4ae5b8b67fa3782d19ece
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809