Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
WS.PDFelement.zip
-
Size
513.6MB
-
Sample
240528-k2mpssde4y
-
MD5
64ada1224816be2e3693de51bbbe0016
-
SHA1
7f68c6b85f7f3ca34c30a431ed5103d9fd8b9938
-
SHA256
e14274d9724505d314d2025563420b4e5064f5f54e4dc6a22f0d2dc7031f340c
-
SHA512
5047958fafd9ac11fe79817d6b3e7fd820c63174e47a6d0a5b9eb711fef5577a8f899b845dcdbe92ec2c5dc70fea509e0534d43ceb2cba587be48ffc5d045b86
-
SSDEEP
12582912:yXWhrTuPG7CoHzCS94ugCh/JLQQBSDhokz/F:yXeryPe3HmS94vCh/JLlSDd
Static task
static1
Behavioral task
behavioral1
Sample
WS.PDFelement.Pro.8.3.8.1253/Host block.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
WS.PDFelement.Pro.8.3.8.1253/WS.PDFelement.OCR.Plugin/OCR Plugin.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
WS.PDFelement.Pro.8.3.8.1253/pdfelement-pro_full5239.exe
Resource
win10-20240404-en
Malware Config
Targets
-
-
Target
WS.PDFelement.Pro.8.3.8.1253/Host block.bat
-
Size
806B
-
MD5
d801e5069a659e36988d8f588881dcb2
-
SHA1
779a60b23b61e38254f5dd327c083fe496af584b
-
SHA256
0daf0b725157e48e6ee9e284c9c3572c9e5b65542676c03fc6d46a665346c474
-
SHA512
215d85ff66921b46bf2394e45937de69f71b23c187eb69ff02b2617bef119fc7848b6c3790e13d88a8c4a66e82271754541670cb291876ca00473fca4b510df9
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Modifies file permissions
-
-
-
Target
WS.PDFelement.Pro.8.3.8.1253/WS.PDFelement.OCR.Plugin/OCR Plugin.exe
-
Size
388.2MB
-
MD5
5233557e789b77bc870173335069ec13
-
SHA1
33bb4146dbf7143da45cc242ea6d58c5c816ca9b
-
SHA256
fd3292348856a9839771420dbec8706d819bd7e949e47199cf7b8f11ca347ad0
-
SHA512
783d9c4869d2f932d23683c6461d2cb17b719f47dfd18c96fced1997c63e78daeb6352d1e6bf8d05c47f24b2bce96b162a96af319368cd10bb7b9430b08d2544
-
SSDEEP
6291456:8D28zzfP+Gsthgb3IpsUS4X79sm/XQuP8yIR8ptYJ92kTLJ4F34P3sKuMTXWSHpU:8D2ozXNsrE4ySX7Pt8yRMWPG2hpB
Score4/10 -
-
-
Target
WS.PDFelement.Pro.8.3.8.1253/pdfelement-pro_full5239.exe
-
Size
126.1MB
-
MD5
fc63185f81f764004cc2d1d05272c062
-
SHA1
d271b39b93727dfca6535895ae8619780f2053ac
-
SHA256
86ce2f762468736cfcc82cf95ee28ba476bdba022f5d96a6f976eeb65bf8dc0a
-
SHA512
8e08f6997fc140a39da079235477096f7491ac3f2b308e5e1520882c5c6866fefe3deac272729b3ee7ac36d70a2b47a33a1ecde58109156f48d52d1fab63dccc
-
SSDEEP
3145728:cNCCVySU1XUS6d99oCPF2m8PfCQ/cAHvcglL:v1kS6dDtHQ/7vcc
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1