Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
Resource
win10v2004-20250129-en
General
-
Target
5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
-
Size
78KB
-
MD5
8d3721144f7549df779020586ad65850
-
SHA1
3a8dbf3f448d419bedcd098b6bb9e1e1a5566e48
-
SHA256
5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303
-
SHA512
18de0aa764229468fad3e2af7508024da5ff9170fe1b20a2242e18d3e5e17900905046a4b274976c30015885d0dfd6cd9aa9122f8e49181a85d6710d7c12f4b5
-
SSDEEP
1536:LRy5jJLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6G9/C1BU:LRy5jhE2EwR4uY41HyvYO9/l
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe -
Executes dropped EXE 1 IoCs
pid Process 1580 tmp826E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp826E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp826E.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe Token: SeDebugPrivilege 1580 tmp826E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2440 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe 85 PID 2460 wrote to memory of 2440 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe 85 PID 2460 wrote to memory of 2440 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe 85 PID 2440 wrote to memory of 2408 2440 vbc.exe 87 PID 2440 wrote to memory of 2408 2440 vbc.exe 87 PID 2440 wrote to memory of 2408 2440 vbc.exe 87 PID 2460 wrote to memory of 1580 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe 89 PID 2460 wrote to memory of 1580 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe 89 PID 2460 wrote to memory of 1580 2460 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe"C:\Users\Admin\AppData\Local\Temp\5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lfmb5pnu.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49707D8FC4C14429938D7C79A8A612D9.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp826E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp826E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d24962d70e20319eee1b0352babff742
SHA14848af95c23fa614a4336f88791c2f35d17b7412
SHA256fdb673584f49c4617ae9078ace1264d1f7b0af6d6185413b2c3d89fb00d9fbfd
SHA512e86cd02ed194b3e98e0f257ba6c7995073bd6358e58e9debea9ccb0b24b0c1fee20100b99ecddf6e99b2f614c8bb7cd2115fcae12e95472c92f9a359dc2c13d8
-
Filesize
14KB
MD56cd616c4130885065838d3cb54a2da14
SHA16180e776f309cc43d02a7a9ae346126f65168f40
SHA256f4615305804c7c7ff3d574b942863196a75d8d98686ec207cc45e1fe6545cf11
SHA512b0b413369525630005e13215d0977f356b8b117acc5108c0e02cb0e2cfdc8c174b3ebe4582fab2356786318265a1a3e99fa2cf75de1c8b318f58ef04794c4e2c
-
Filesize
266B
MD575b8b6694d8a03a5bde3aac4fca90eb1
SHA13e1127dc12cee8f98914bf60c2c38d55183806a2
SHA256cd52570c10854f96ef531fc76337ff82a2bba99faf1c61f7839697ba69ab35a3
SHA512aa46f5ff9e79dcf9fbd366e45cebadfdfaf9ac50a2209f390ad274056109dd93ab133787effc4395a2b3c753aabf3d8b28ed72376120c695ccf1badee93d3125
-
Filesize
78KB
MD5507e2db65e9f4c2817a68a12631289c3
SHA15fa641334ad48bf9ab17288de5a35c01f39d4d1e
SHA256ccab7159ab5d29850ce193d7639058d1d0191db1c076877355e3e7b7365b2c80
SHA512853bbf7a00d379c6a20328f4e1b2ad09b75cfeeeaaa3c85dcfa8f37b9c80321892e53afbfd61a70775f31f9579b6d8329ddd4706c5fa23885ca30885b4e0b690
-
Filesize
660B
MD56bfdeaf9cc2fcc5052613efe77925a75
SHA144d2dc4a2655115cb8b2dc5279923e502036a1ff
SHA2561b59b250cf56972561981546afe4567baf6b6715725448681d7f0f38a6f48fdb
SHA5120be2e2f3c448eb8cde93059c8c978578d8633cc529fba1391b43a6682feecc381ab538924ce241c6945b2aff5282c13fb05d41e92c0bebdfe4388ea3522383e1
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809