Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

General

  • Target

    bdad1ff46d46963cc687d5f6889c9ef2.exe

  • Size

    78KB

  • MD5

    bdad1ff46d46963cc687d5f6889c9ef2

  • SHA1

    16329a972f772675d1c55304ed703fcf8649c720

  • SHA256

    9f935f8e74743d350a12fa3f517b6ef5e57c54d850e83592e7da680aa95f37d0

  • SHA512

    12b4d7d257aa55abdfdd213e3f105cad45207973b40d653cd29d6c20e58b3f867883422eeb0176f8f5fbea1b088df64ab5e28a32efab2133d4612140ab93f5fe

  • SSDEEP

    1536:tCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRF9//166:tCHFo53Ln7N041QqhgRF9/P

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ttemagjh.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2848
    • C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp

    Filesize

    1KB

    MD5

    06d9d3de4ef8a71990c67c4563cb60f8

    SHA1

    9ee91ecd59d553cd82937cb141f2c0a22b19f24e

    SHA256

    eb1c17612d3a313aff9cd9a1ba6655b6c77bae858a73e56183842eb18daf8061

    SHA512

    edcda5e19b014dd1758e7279a9911e1ca65f6f7c0349e1f8776221864ba3b9c0a259759f0b678728475ebb612919a2323298b739be33ae5af1265815f16db391

  • C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe

    Filesize

    78KB

    MD5

    2ffad7b028da14e091e95800f6dee93e

    SHA1

    b16b270b2977e02f0b169b0c7c7937c8219b2a5f

    SHA256

    aa963e81430f0769d2f9080cb80c93aed9e51432c73e525d20d14f14b2a60e3d

    SHA512

    b97c449475c188ed5f6f17553b5fd8cad2a98acb51418967a5bf6166efbcd993b12b50e9d4eadb2af13d23a43821f0425fb7099d0eff66d61a13f4b76fa06a68

  • C:\Users\Admin\AppData\Local\Temp\ttemagjh.0.vb

    Filesize

    15KB

    MD5

    ecbe3946ddace22437d55add69031e39

    SHA1

    49e9276c3a90754c199f679e25f4ade42f6774df

    SHA256

    d34c9f6fbc39b8387b7d1af23636ceff244a440e18b58a0ac35620949652c2ca

    SHA512

    7e568599b50fd5becf6cc10c8b1e0f9359b98ce85cdb1405134c7c134c339058b1e8c7710c86bf531ec0b73c51b014b67933dec8d64f2e5497afabfe2580aeae

  • C:\Users\Admin\AppData\Local\Temp\ttemagjh.cmdline

    Filesize

    266B

    MD5

    a20cccad614be63de32716cfb84528bc

    SHA1

    e3c8fb9f89dc4a065cba053272a9453831ac53b0

    SHA256

    9f2ae327ad14ee8734848c3137c86f39f7fc0780339348516646adf6a7e1e0ec

    SHA512

    cb77c5391fbdf5ede427711567766085de886e3720ab750d7e505bd83bd2504cc7a5879204af819a8ace8e0dd9c997c6f2e5edc7394b41c7cf8c41979a2c9167

  • C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp

    Filesize

    660B

    MD5

    5e80f47a3ec03e1a06232bfbb1966184

    SHA1

    ddbadf7d102fc8c0db4b46b21249a6d4b0fe2e21

    SHA256

    2f5e1046ce4d9f472b57e6ac1c9a8e53f50ec7e6c9d4f968198a2bbb00a37836

    SHA512

    9a6a5835ac84d48458d573f94cb3f63b9fbf8848c8cd3615a942e0ad38cd12568b0ae23a1e5ed2660858a4ee27daf858fbe646cf600c32165d66d0295b8317b1

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/2540-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

    Filesize

    4KB

  • memory/2540-1-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-5-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-24-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/3068-8-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/3068-18-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB