Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Factuur4388.PDF.exe

windows7-x64

10

Factuur4388.PDF.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factuur4388.PDF.exe

  • Size

    772KB

  • MD5

    95f60b5b36d63307d83e3f3de9675a1d

  • SHA1

    da733991d9618b3a3bb5cc503ba0e860f1e8ea29

  • SHA256

    f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

  • SHA512

    de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

  • SSDEEP

    12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\System32\mousocoreworker.exe
      C:\Windows\System32\mousocoreworker.exe -Embedding
      2⤵
        PID:3240
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:764
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
          2⤵
            PID:4864
        • C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
            C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2360
        • C:\Users\Admin\AppData\Local\Temp\kymhetc.exe
          C:\Users\Admin\AppData\Local\Temp\kymhetc.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\Users\Admin\AppData\Local\Temp\kymhetc.exe
            C:\Users\Admin\AppData\Local\Temp\kymhetc.exe
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4564
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 656
              3⤵
              • Program crash
              PID:4080
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 696
              3⤵
              • Program crash
              PID:4516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4564 -ip 4564
          1⤵
            PID:2868
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4564 -ip 4564
            1⤵
              PID:3540

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\vxgchcd
              Filesize

              654B

              MD5

              d9b14ce171d406884d4a6e4a6d39c253

              SHA1

              e670644266db10290db42abec65d0ca868e004fb

              SHA256

              b04127fb200430577309246da30f43e426a07f485e6effaf91b029049e03993b

              SHA512

              02fe466572c238183c07c70c1d2011609752e90e53e559a70f237bff3502e75f6ab9654b86be681dc572160dbc5b58ff9539c0b54d3cd0f60ce2afbcef52bb7b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\kymhetc.exe
              Filesize

              772KB

              MD5

              95f60b5b36d63307d83e3f3de9675a1d

              SHA1

              da733991d9618b3a3bb5cc503ba0e860f1e8ea29

              SHA256

              f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

              SHA512

              de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

              Download Submit

            • memory/764-0-0x0000000000B20000-0x0000000000B24000-memory.dmp

              Filesize

              16KB

              Download

            • memory/804-22-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-3394-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-231-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-67-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-25-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-27-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-21-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/804-19-0x0000000020AF0000-0x0000000020B67000-memory.dmp

              Filesize

              476KB

              Download

            • memory/2360-2-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2360-4-0x0000000028960000-0x0000000028B7A000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/2360-3-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2360-5-0x0000000028B80000-0x0000000028DCB000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/2360-6-0x0000000000401000-0x0000000000402000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4452-11-0x0000000000400000-0x00000000004C1000-memory.dmp

              Filesize

              772KB

              Download

            • memory/4564-16-0x0000000028D90000-0x0000000028FDB000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4564-15-0x0000000000400000-0x00000000004A4600-memory.dmp

              Filesize

              657KB

              Download