Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bca3772529...45.exe
windows7-x64
10bca3772529...45.exe
windows10-2004-x64
10bccb34575f...72.exe
windows7-x64
10bccb34575f...72.exe
windows10-2004-x64
10bcf1af9a5a...be.exe
windows7-x64
10bcf1af9a5a...be.exe
windows10-2004-x64
8bcf783e363...97.exe
windows7-x64
3bcf783e363...97.exe
windows10-2004-x64
3bd515574dc...8c.exe
windows7-x64
1bd515574dc...8c.exe
windows10-2004-x64
1bd68ca7605...39.exe
windows7-x64
10bd68ca7605...39.exe
windows10-2004-x64
10bd707a0357...e3.exe
windows7-x64
9bd707a0357...e3.exe
windows10-2004-x64
9bd7edfedeb...0b.exe
windows7-x64
10bd7edfedeb...0b.exe
windows10-2004-x64
10bdad1ff46d...f2.exe
windows7-x64
10bdad1ff46d...f2.exe
windows10-2004-x64
10bdae9ff159...df.exe
windows7-x64
10bdae9ff159...df.exe
windows10-2004-x64
10be01d2552c...1c.exe
windows7-x64
10be01d2552c...1c.exe
windows10-2004-x64
10be077774c9...87.exe
windows7-x64
10be077774c9...87.exe
windows10-2004-x64
10be0a8aeb7e...56.exe
windows7-x64
3be0a8aeb7e...56.exe
windows10-2004-x64
3be1643898c...f5.exe
windows7-x64
7be1643898c...f5.exe
windows10-2004-x64
10be183db6d4...94.exe
windows7-x64
10be183db6d4...94.exe
windows10-2004-x64
10be2375e810...94.exe
windows7-x64
10be2375e810...94.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:15
Behavioral task
behavioral1
Sample
bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
bccb34575fb2db34d4a29075cb2f9aa39904b7d5412695545f2240c00fbb0472.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
bccb34575fb2db34d4a29075cb2f9aa39904b7d5412695545f2240c00fbb0472.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
bcf1af9a5a93ae74ea1c79da9951c5be.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
bcf1af9a5a93ae74ea1c79da9951c5be.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
bcf783e363557f5bdd4014c159ae2497.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
bcf783e363557f5bdd4014c159ae2497.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
bd515574dc1cb379674710f110e907d8cd72a5e4c5eb90d464fbee847b71718c.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
bd515574dc1cb379674710f110e907d8cd72a5e4c5eb90d464fbee847b71718c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
bd707a0357b19ea6953d47900bb051e3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
bd707a0357b19ea6953d47900bb051e3.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral15
Sample
bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
bdad1ff46d46963cc687d5f6889c9ef2.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
bdad1ff46d46963cc687d5f6889c9ef2.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
bdae9ff15952ccdfec0be80562f1cbdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
bdae9ff15952ccdfec0be80562f1cbdf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
be0a8aeb7e1655bee6255bac9c2947ecef511b5f00e29933dfd9c7f39965bf56.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
be0a8aeb7e1655bee6255bac9c2947ecef511b5f00e29933dfd9c7f39965bf56.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
be1643898cf51a24e38e4044d24ae1f5.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
be1643898cf51a24e38e4044d24ae1f5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
be183db6d4b77c092496c69c3f389b94.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
be183db6d4b77c092496c69c3f389b94.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
be2375e810af4d76a0fc392d8acf2d1218cd2c21a6b8160be7f1f30ef7cf4694.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
be2375e810af4d76a0fc392d8acf2d1218cd2c21a6b8160be7f1f30ef7cf4694.exe
Resource
win10v2004-20250314-en
General
-
Target
bdad1ff46d46963cc687d5f6889c9ef2.exe
-
Size
78KB
-
MD5
bdad1ff46d46963cc687d5f6889c9ef2
-
SHA1
16329a972f772675d1c55304ed703fcf8649c720
-
SHA256
9f935f8e74743d350a12fa3f517b6ef5e57c54d850e83592e7da680aa95f37d0
-
SHA512
12b4d7d257aa55abdfdd213e3f105cad45207973b40d653cd29d6c20e58b3f867883422eeb0176f8f5fbea1b088df64ab5e28a32efab2133d4612140ab93f5fe
-
SSDEEP
1536:tCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRF9//166:tCHFo53Ln7N041QqhgRF9/P
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2708 tmpB165.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpB165.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdad1ff46d46963cc687d5f6889c9ef2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB165.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe Token: SeDebugPrivilege 2708 tmpB165.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2540 wrote to memory of 3068 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 30 PID 2540 wrote to memory of 3068 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 30 PID 2540 wrote to memory of 3068 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 30 PID 2540 wrote to memory of 3068 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 30 PID 3068 wrote to memory of 2848 3068 vbc.exe 32 PID 3068 wrote to memory of 2848 3068 vbc.exe 32 PID 3068 wrote to memory of 2848 3068 vbc.exe 32 PID 3068 wrote to memory of 2848 3068 vbc.exe 32 PID 2540 wrote to memory of 2708 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 33 PID 2540 wrote to memory of 2708 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 33 PID 2540 wrote to memory of 2708 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 33 PID 2540 wrote to memory of 2708 2540 bdad1ff46d46963cc687d5f6889c9ef2.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe"C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ttemagjh.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD506d9d3de4ef8a71990c67c4563cb60f8
SHA19ee91ecd59d553cd82937cb141f2c0a22b19f24e
SHA256eb1c17612d3a313aff9cd9a1ba6655b6c77bae858a73e56183842eb18daf8061
SHA512edcda5e19b014dd1758e7279a9911e1ca65f6f7c0349e1f8776221864ba3b9c0a259759f0b678728475ebb612919a2323298b739be33ae5af1265815f16db391
-
Filesize
78KB
MD52ffad7b028da14e091e95800f6dee93e
SHA1b16b270b2977e02f0b169b0c7c7937c8219b2a5f
SHA256aa963e81430f0769d2f9080cb80c93aed9e51432c73e525d20d14f14b2a60e3d
SHA512b97c449475c188ed5f6f17553b5fd8cad2a98acb51418967a5bf6166efbcd993b12b50e9d4eadb2af13d23a43821f0425fb7099d0eff66d61a13f4b76fa06a68
-
Filesize
15KB
MD5ecbe3946ddace22437d55add69031e39
SHA149e9276c3a90754c199f679e25f4ade42f6774df
SHA256d34c9f6fbc39b8387b7d1af23636ceff244a440e18b58a0ac35620949652c2ca
SHA5127e568599b50fd5becf6cc10c8b1e0f9359b98ce85cdb1405134c7c134c339058b1e8c7710c86bf531ec0b73c51b014b67933dec8d64f2e5497afabfe2580aeae
-
Filesize
266B
MD5a20cccad614be63de32716cfb84528bc
SHA1e3c8fb9f89dc4a065cba053272a9453831ac53b0
SHA2569f2ae327ad14ee8734848c3137c86f39f7fc0780339348516646adf6a7e1e0ec
SHA512cb77c5391fbdf5ede427711567766085de886e3720ab750d7e505bd83bd2504cc7a5879204af819a8ace8e0dd9c997c6f2e5edc7394b41c7cf8c41979a2c9167
-
Filesize
660B
MD55e80f47a3ec03e1a06232bfbb1966184
SHA1ddbadf7d102fc8c0db4b46b21249a6d4b0fe2e21
SHA2562f5e1046ce4d9f472b57e6ac1c9a8e53f50ec7e6c9d4f968198a2bbb00a37836
SHA5129a6a5835ac84d48458d573f94cb3f63b9fbf8848c8cd3615a942e0ad38cd12568b0ae23a1e5ed2660858a4ee27daf858fbe646cf600c32165d66d0295b8317b1
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65