Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7ea3b64868...cf.exe

windows7-x64

10

7ea3b64868...cf.exe

windows10-2004-x64

10

7ebaf99c04...24.exe

windows7-x64

6

7ebaf99c04...24.exe

windows10-2004-x64

6

7ee13560bd...12.exe

windows7-x64

10

7ee13560bd...12.exe

windows10-2004-x64

10

7ef695e2eb...8f.exe

windows7-x64

10

7ef695e2eb...8f.exe

windows10-2004-x64

10

7f08f6ad11...70.exe

windows7-x64

10

7f08f6ad11...70.exe

windows10-2004-x64

10

7f0a89c07b...88.exe

windows7-x64

1

7f0a89c07b...88.exe

windows10-2004-x64

1

7f4990caad...07.exe

windows7-x64

10

7f4990caad...07.exe

windows10-2004-x64

10

7f584766e9...23.exe

windows7-x64

10

7f584766e9...23.exe

windows10-2004-x64

10

7f653aa47f...d4.exe

windows7-x64

10

7f653aa47f...d4.exe

windows10-2004-x64

10

7f99ce9b97...e0.exe

windows7-x64

10

7f99ce9b97...e0.exe

windows10-2004-x64

10

7fa6bf4f19...ab.exe

windows7-x64

10

7fa6bf4f19...ab.exe

windows10-2004-x64

10

7fb245795f...72.exe

windows7-x64

10

7fb245795f...72.exe

windows10-2004-x64

10

7fb519a181...1c.exe

windows7-x64

10

7fb519a181...1c.exe

windows10-2004-x64

10

8017678d87...da.exe

windows7-x64

10

8017678d87...da.exe

windows10-2004-x64

10

8032ddd614...62.exe

windows7-x64

9

8032ddd614...62.exe

windows10-2004-x64

9

805bf5f6bd...de.exe

windows7-x64

10

805bf5f6bd...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef695e2eb00583acd7c520cf107188f.exe

  • Size

    78KB

  • MD5

    7ef695e2eb00583acd7c520cf107188f

  • SHA1

    81b07c6a5b9ff127044492483e978d0aa3c709a7

  • SHA256

    198f7e8e6e6b9f8d60ef722311078e085ccd7f3034176c4cb39db6d43be50451

  • SHA512

    1a8329294fc2f46a7012ebd374a0b2e7731fd840b471654ecd7ab9aa7d1f56fdd99cca1a001373d70117ead83fe5c9c6bbfe7866a63d413a13bcdd8e39368a58

  • SSDEEP

    1536:XV586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6ox9/M1RT:XV581n7N041Qqhg9x9/E

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ef695e2eb00583acd7c520cf107188f.exe
    "C:\Users\Admin\AppData\Local\Temp\7ef695e2eb00583acd7c520cf107188f.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2qnexfc1.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7E8.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2260
    • C:\Users\Admin\AppData\Local\Temp\tmpD6A0.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD6A0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7ef695e2eb00583acd7c520cf107188f.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2qnexfc1.0.vb
    Filesize

    14KB

    MD5

    0b0b0524673be7317fb92ca789554231

    SHA1

    7659c02c6f0c2d4095b4a742be4d8fff872bf513

    SHA256

    a224f612606e3c49ed94e531495c1f1f4a93e9bb88fc86757bf8551d2de67e26

    SHA512

    5bd57d4072962cd55386807285b1ed470f64016e41dfcb11f6218690df2a32486dfa5e8dbec45596f2d7ec95d85f11f3398da2ecd48b6339b721488081bed37e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2qnexfc1.cmdline
    Filesize

    266B

    MD5

    5cb1d3d2fefc57e903bfdb63e43cb849

    SHA1

    9583afedb53e642fda9f49009983e5e24ffd2c15

    SHA256

    19cdfd2748c4f62650e486bc64b3f1438c9bbf48477ba77b175d6159c9d31839

    SHA512

    953c0bbdbfba6b5ea873d0ced0ba2f9cd5bf1c888d8426cdb7563b50756dc71a570be65f6c9a62a40d905e27eff10c4144bcf55583bd5f675dbf72366786b0bc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESD7E9.tmp
    Filesize

    1KB

    MD5

    ed13932aeaa999b902b01e2dea48d5b5

    SHA1

    9c0d35ea5f214f6e5fcd20ee4c8ba494076d84a2

    SHA256

    fd89b06b380e9353746ef542d6c24609347b0d216e521f31bd45dd550f0b554b

    SHA512

    d069e4e93c9a5cf5c49c937a7bbb7c36d4f6974068976a78988d11b97c49b487b8b5f8db2029e62a545ce284c41c6a81b8c70315fd1200b4bec5b10324576803

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD6A0.tmp.exe
    Filesize

    78KB

    MD5

    ba7a759b1a3e3b4649e2225060d9da7e

    SHA1

    164bbdc4009813b641b77839b714b04978ec1529

    SHA256

    d605d90ad0952bebad110b8139cb0ffdb5e07040d0053384953df4daae791b2e

    SHA512

    a03625315a6cf9c67f8da6194d486d62ef2b1f596ad064b8c13ebb28028e5c6e439c66be6759650ddc78d61e963a1172d6c6a59e6501c3c5158405bb7eb1f1c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcD7E8.tmp
    Filesize

    660B

    MD5

    3ee77ec8b1af2735710778fbc2237929

    SHA1

    3fd4489fabf3fff31ac8f0a9f0ec845d5aa3824d

    SHA256

    1b605bcb8676e2d358cf322123b9be215153abcf72cc569b4e84d37464ff941d

    SHA512

    8dc5dbf7b79977d4f85c39216bd7f673894a0d02bc5227dcee3a5b42b65bfa608a414f95a702b63aec49f6ff1f15489b5f5d436bb931c3d2fae9fad334475f57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/1420-8-0x0000000074F10000-0x00000000754BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1420-18-0x0000000074F10000-0x00000000754BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2236-0-0x0000000074F11000-0x0000000074F12000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-1-0x0000000074F10000-0x00000000754BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2236-2-0x0000000074F10000-0x00000000754BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2236-24-0x0000000074F10000-0x00000000754BB000-memory.dmp

    Filesize

    5.7MB

    Download