Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05/08/2021, 11:34
Static task
static1
Behavioral task
behavioral1
Sample
AcroRd32DQe.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
AcroRd32DQe.bin.exe
Resource
win10v20210408
General
-
Target
AcroRd32DQe.bin.exe
-
Size
293KB
-
MD5
187a89cf24890c3af628219d0d9ae881
-
SHA1
5b1ba0821ca5461ced123cc646dd5823504075f5
-
SHA256
f949b78b040cbfc95aafb50ef30ac3e8c16771c6b926b6f8f1efe44a1f437d51
-
SHA512
aaf9203cda730018988f38c4734b144d0f83e61e3a342c6c26f3668b2e6860d95558da39bc11d3a7d4683f74059e144fc0c98ebe05acde501012caf3609263ef
Malware Config
Extracted
plugx
45.134.83.41:443
45.134.83.41:8080
45.134.83.41:80
jqcdxvOfUAlRGUCUknxZ
-
folder
AcroRd32DQe
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 320 AcroRd32.exe 576 AcroRd32.exe 1640 acrotrays.exe -
Loads dropped DLL 6 IoCs
pid Process 1824 AcroRd32DQe.bin.exe 320 AcroRd32.exe 320 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 1640 acrotrays.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AcroRd32DQe = "\"C:\\ProgramData\\AcroRd32DQe\\AcroRd32.exe\" 444" AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run AcroRd32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\AcroRd32DQe = "\"C:\\ProgramData\\AcroRd32DQe\\AcroRd32.exe\" 444" AcroRd32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: AcroRd32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main AcroRd32DQe.bin.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY AcroRd32.exe Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\ms-pu AcroRd32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 43004200380032003300460037003400450035003600430046003800420045000000 AcroRd32.exe Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu AcroRd32.exe Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu acrotrays.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 1640 acrotrays.exe 1640 acrotrays.exe 1640 acrotrays.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 576 AcroRd32.exe Token: SeDebugPrivilege 576 AcroRd32.exe Token: SeTcbPrivilege 576 AcroRd32.exe Token: SeDebugPrivilege 1640 acrotrays.exe Token: SeDebugPrivilege 1640 acrotrays.exe Token: SeDebugPrivilege 1640 acrotrays.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1824 AcroRd32DQe.bin.exe 1824 AcroRd32DQe.bin.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 1824 wrote to memory of 320 1824 AcroRd32DQe.bin.exe 30 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 320 wrote to memory of 576 320 AcroRd32.exe 31 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32 PID 576 wrote to memory of 1640 576 AcroRd32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\AcroRd32DQe.bin.exe"C:\Users\Admin\AppData\Local\Temp\AcroRd32DQe.bin.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\AcroRd32.exe"C:\Users\Admin\AppData\Local\Temp\AcroRd32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:320 -
C:\ProgramData\AcroRd32DQe\AcroRd32.exeC:\ProgramData\AcroRd32DQe\AcroRd32.exe 4443⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\ProgramData\back\acrotrays.exeC:\ProgramData\back\acrotrays.exe -d AAA4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-