Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1

WS.PDFelem...ck.bat

windows10-1703-x64

8

WS.PDFelem...in.exe

windows10-1703-x64

4

WS.PDFelem...39.exe

windows10-1703-x64

9

Analysis

  • max time kernel
    46s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/05/2024, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WS.PDFelement.Pro.8.3.8.1253/Host block.bat

  • Size

    806B

  • MD5

    d801e5069a659e36988d8f588881dcb2

  • SHA1

    779a60b23b61e38254f5dd327c083fe496af584b

  • SHA256

    0daf0b725157e48e6ee9e284c9c3572c9e5b65542676c03fc6d46a665346c474

  • SHA512

    215d85ff66921b46bf2394e45937de69f71b23c187eb69ff02b2617bef119fc7848b6c3790e13d88a8c4a66e82271754541670cb291876ca00473fca4b510df9

Score
8/10
discoveryevasionexploit

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WS.PDFelement.Pro.8.3.8.1253\Host block.bat"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\system32\reg.exe
      REG QUERY "HKU\S-1-5-19"
      2⤵
        PID:1632
      • C:\Windows\system32\netsh.exe
        netsh advfirewall firewall add rule name="PDFelement" dir=in action=block program="C:\Users\Admin\AppData\Local\Temp\WS.PDFelement.Pro.8.3.8.1253\PDFelement.exe"
        2⤵
        • Modifies Windows Firewall
        PID:2820
      • C:\Windows\system32\netsh.exe
        netsh advfirewall firewall set rule name="PDFelement" new enable=yes
        2⤵
        • Modifies Windows Firewall
        PID:3824
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2672
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2⤵
          PID:204
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\system32\drivers\etc\hosts /c /grant "administrators:F"
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:216
        • C:\Windows\system32\attrib.exe
          attrib -h -r -s C:\Windows\system32\drivers\etc\hosts
          2⤵
          • Drops file in Drivers directory
          • Views/modifies file attributes
          PID:3716
        • C:\Windows\system32\find.exe
          FIND /C /I "127.0.0.1 account.wondershare.com" C:\Windows\system32\drivers\etc\hosts
          2⤵
            PID:520
          • C:\Windows\system32\timeout.exe
            TIMEOUT /t 2
            2⤵
            • Delays execution with timeout.exe
            PID:3604
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservice -s fdPHost
          1⤵
            PID:504

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            980B

            MD5

            676acd944d70c6fa179d7d62939fee11

            SHA1

            6e657ac2df70a9c3c59ba68920f973f999af8af2

            SHA256

            4014edc60be6c2f6aa3bfb22450634e67feb7975c74358de6511e719380e2a2b

            SHA512

            031d0830f0c9597e36135f13ba66628e8299874fd21c56193db5a4e63256b9d5e2d073048fc8ff8559f1b40909b99315bc3307a3acf09283f9239111af586112

            Download Submit