Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:14

General

  • Target

    916fbe67a7968d2b65d54ae3ce72f3e3.exe

  • Size

    78KB

  • MD5

    916fbe67a7968d2b65d54ae3ce72f3e3

  • SHA1

    c27a2635f22db2401953554e9b958499c850ab23

  • SHA256

    720b0f321e77a1ab8e5bec4f33644e9cdd97f571a3bc2468b327ee85d4bca09b

  • SHA512

    a1db5956ecaf3ea4550e890a604753d04587761d09de54d3682cc5f79433dfb29d49f499d85904c7c14a20650d7443385ee8d7c2ddfbc0ffeab0936a34247444

  • SSDEEP

    1536:+Ry5jEdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6HM9/O1Gl:+Ry5jzn7N041QqhgUM9/9

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\916fbe67a7968d2b65d54ae3ce72f3e3.exe
    "C:\Users\Admin\AppData\Local\Temp\916fbe67a7968d2b65d54ae3ce72f3e3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hd0j9keh.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE50.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2452
    • C:\Users\Admin\AppData\Local\Temp\tmpBDD3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBDD3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\916fbe67a7968d2b65d54ae3ce72f3e3.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESBE51.tmp

    Filesize

    1KB

    MD5

    649bfe7db855a5d97ecf7f0feee88873

    SHA1

    e0816a342925a81b576a12147f3ae0526961b75c

    SHA256

    bb2e2d11473d505a216bc3665641d649a6c0442acb42ebb4d936cb19c5f0bc03

    SHA512

    bec90f44396336b53fb0aa213f5fa2ac5df695b12a0ddbaf14d48a59ac17e96a59bd94e027c16a0b7a37429b412bd1c2897fac13b9de9df1c582f8fd5eabfb55

  • C:\Users\Admin\AppData\Local\Temp\hd0j9keh.0.vb

    Filesize

    14KB

    MD5

    0ab13b15a2e7f055cddf3897db97017b

    SHA1

    48c0b8d0eaa24c4dd5ea24864f5adf2871d76763

    SHA256

    122e54a86a62e5d60d727bc2e2bb4427ec4ade33f385700fc5211fae323a8587

    SHA512

    655acf242409b3d5db9627433e3dccc51c4a7bcf6bbfa16da4803fbd19e35dbf7d3e700af5ed3ae0f8b6419a2025c37ac546be7887f72b9bfb8a1e8440053b1a

  • C:\Users\Admin\AppData\Local\Temp\hd0j9keh.cmdline

    Filesize

    266B

    MD5

    d7b53d605f4357b98f20771201e266b4

    SHA1

    ded38d1d4ea4bc9717f2b7c3bb5f7bbcbb847cb7

    SHA256

    18eaafe803224e605ef5e4c33ecaebd8129907cf34ab697f6af97fb50ba7cac1

    SHA512

    79eeb0e42433a366226f8f5f40b757fa49f4f460daaae9bf81a9364701287355d71e0461a241d91131cf17db57f530da2383dc95cb9c3e56b291b032ee9b7016

  • C:\Users\Admin\AppData\Local\Temp\tmpBDD3.tmp.exe

    Filesize

    78KB

    MD5

    22e1f1f66225a38a04022995214c7347

    SHA1

    99d7b6a4b43302e9042c4d22f481ee983a7a99c4

    SHA256

    01b2322ff3549e785bc48edf132dd422e00d3c0fbe3de8e2756d80e65980bfb4

    SHA512

    9283414db3a53fcd63bb8338cfbfab26338e89866868184f6b4804dfc4bc0fef70e14cb43ae67f2b0acb4a7e62f738cc2901b97d0a4074428e5b8b2af91ce08e

  • C:\Users\Admin\AppData\Local\Temp\vbcBE50.tmp

    Filesize

    660B

    MD5

    abdc061c4e57d0026c99f1b7c831e9b7

    SHA1

    2587b5fd22ceab556fa10e20f5f1ba52f8851560

    SHA256

    83f13307b846afe4c5c8c2fbe716329869b57dbb96a8568cf604c6f50a551b3b

    SHA512

    fb967b4f560f80b959d1b0af16d12518365317e847bbdf8f64d7d49c9edfbb02f94869b2cee37423e609a9502269e75064e145f251d82ad0beb453fe656aad43

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/2052-9-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

  • memory/2052-18-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-0-0x00000000743E1000-0x00000000743E2000-memory.dmp

    Filesize

    4KB

  • memory/2472-1-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-2-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

  • memory/2472-24-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB