Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Factuur4388.PDF.exe

windows7-x64

10

Factuur4388.PDF.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factuur4388.PDF.exe

  • Size

    772KB

  • MD5

    95f60b5b36d63307d83e3f3de9675a1d

  • SHA1

    da733991d9618b3a3bb5cc503ba0e860f1e8ea29

  • SHA256

    f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

  • SHA512

    de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

  • SSDEEP

    12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      2⤵
        PID:860
      • C:\Windows\System32\mousocoreworker.exe
        C:\Windows\System32\mousocoreworker.exe -Embedding
        2⤵
          PID:4292
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
          2⤵
            PID:1412
          • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
            C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
            2⤵
              PID:4856
          • C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe"
            1⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
              C:\Users\Admin\AppData\Local\Temp\Factuur4388.PDF.exe
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1776
          • C:\Users\Admin\AppData\Local\Temp\cyahede.exe
            C:\Users\Admin\AppData\Local\Temp\cyahede.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3592
            • C:\Users\Admin\AppData\Local\Temp\cyahede.exe
              C:\Users\Admin\AppData\Local\Temp\cyahede.exe
              2⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 656
                3⤵
                • Program crash
                PID:4436
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 676
                3⤵
                • Program crash
                PID:2600
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2724 -ip 2724
            1⤵
              PID:4228
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2724 -ip 2724
              1⤵
                PID:4160

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\USOShared\xwtrgtd
                Filesize

                654B

                MD5

                7dc8bd7642ad8d64e6950ac15bf7d197

                SHA1

                10cf2dc3d3e4073dad680b64a40933260e6a9f22

                SHA256

                8fc4722b2f77288f66bdc87e515e4a33a5f57096a68457d0d8a18556129b3de7

                SHA512

                66f12592e735e8dabab85c52e94b030224ea3638f1e3d9e454727883ef00816b92c0860054cc236a6f20ae52b62476ddaf429ca73c97dc95d3f569a679a83fd0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\cyahede.exe
                Filesize

                772KB

                MD5

                95f60b5b36d63307d83e3f3de9675a1d

                SHA1

                da733991d9618b3a3bb5cc503ba0e860f1e8ea29

                SHA256

                f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

                SHA512

                de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
                Filesize

                129B

                MD5

                a526b9e7c716b3489d8cc062fbce4005

                SHA1

                2df502a944ff721241be20a9e449d2acd07e0312

                SHA256

                e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                SHA512

                d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                Download Submit

              • memory/796-19-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-61-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-3392-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-227-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-25-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-27-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-22-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/796-21-0x000000001F6C0000-0x000000001F737000-memory.dmp

                Filesize

                476KB

                Download

              • memory/1776-3-0x0000000000400000-0x0000000001400000-memory.dmp

                Filesize

                16.0MB

                Download

              • memory/1776-2-0x0000000000400000-0x0000000001400000-memory.dmp

                Filesize

                16.0MB

                Download

              • memory/1776-5-0x0000000000401000-0x0000000000402000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1776-6-0x0000000028C60000-0x0000000028EAB000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/1776-4-0x0000000028A40000-0x0000000028C5A000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/1848-0-0x0000000000B30000-0x0000000000B34000-memory.dmp

                Filesize

                16KB

                Download

              • memory/2724-16-0x0000000028DA0000-0x0000000028FEB000-memory.dmp

                Filesize

                2.3MB

                Download

              • memory/2724-15-0x0000000000400000-0x00000000004A4600-memory.dmp

                Filesize

                657KB

                Download

              • memory/3592-10-0x0000000000400000-0x00000000004C1000-memory.dmp

                Filesize

                772KB

                Download