Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 19:54
Behavioral task
behavioral1
Sample
accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe
Resource
win10v2004-20220812-en
General
-
Target
accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe
-
Size
1.1MB
-
MD5
4c4a1796e61e532a3a9108c705f5b74e
-
SHA1
2a6bc5c5cdcefac83bd47b58761690bc4dfb4284
-
SHA256
accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d
-
SHA512
024baf100e11ea53af0bf3dec768ced839c1ba9a23c0f66aa0f3c336be63e90c7e8cb4c19a12b4d9381fe971ea886fb1f69ea8ec8d369c2521a779c3b80b93fa
-
SSDEEP
24576:ubq0z+FMnSJU96SyN+rsbvco1Pc9McNC1Dy4D6N+/GtD9M7SW0LvZkDV:ubx8MSJfT+rsbPK93NSDB+N+QO3NDV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4252 adobereader.exe 2736 adobereader.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1860 netsh.exe -
resource yara_rule behavioral2/memory/4280-132-0x0000000000400000-0x00000000007BC000-memory.dmp upx behavioral2/memory/4280-138-0x0000000000400000-0x00000000007BC000-memory.dmp upx behavioral2/files/0x0007000000022e2b-141.dat upx behavioral2/files/0x0007000000022e2b-142.dat upx behavioral2/memory/4252-144-0x0000000000400000-0x00000000007BC000-memory.dmp upx behavioral2/files/0x0007000000022e2b-147.dat upx behavioral2/memory/4252-149-0x0000000000400000-0x00000000007BC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Driver Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adobereader.exe" accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Driver Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adobereader.exe" accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4280 set thread context of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4252 set thread context of 2736 4252 adobereader.exe 84 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4280 wrote to memory of 4052 4280 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 81 PID 4052 wrote to memory of 1860 4052 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 82 PID 4052 wrote to memory of 1860 4052 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 82 PID 4052 wrote to memory of 1860 4052 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 82 PID 4052 wrote to memory of 4252 4052 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 83 PID 4052 wrote to memory of 4252 4052 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 83 PID 4052 wrote to memory of 4252 4052 accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe 83 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84 PID 4252 wrote to memory of 2736 4252 adobereader.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe"C:\Users\Admin\AppData\Local\Temp\accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe"C:\Users\Admin\AppData\Local\Temp\accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\adobereader.exe" "Adobe Driver Update" ENABLE3⤵
- Modifies Windows Firewall
PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\adobereader.exe"C:\Users\Admin\AppData\Local\Temp\adobereader.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\adobereader.exe"C:\Users\Admin\AppData\Local\Temp\adobereader.exe"4⤵
- Executes dropped EXE
PID:2736
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD54c4a1796e61e532a3a9108c705f5b74e
SHA12a6bc5c5cdcefac83bd47b58761690bc4dfb4284
SHA256accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d
SHA512024baf100e11ea53af0bf3dec768ced839c1ba9a23c0f66aa0f3c336be63e90c7e8cb4c19a12b4d9381fe971ea886fb1f69ea8ec8d369c2521a779c3b80b93fa
-
Filesize
1.1MB
MD54c4a1796e61e532a3a9108c705f5b74e
SHA12a6bc5c5cdcefac83bd47b58761690bc4dfb4284
SHA256accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d
SHA512024baf100e11ea53af0bf3dec768ced839c1ba9a23c0f66aa0f3c336be63e90c7e8cb4c19a12b4d9381fe971ea886fb1f69ea8ec8d369c2521a779c3b80b93fa
-
Filesize
1.1MB
MD54c4a1796e61e532a3a9108c705f5b74e
SHA12a6bc5c5cdcefac83bd47b58761690bc4dfb4284
SHA256accd6b29097b0d9f3df050ebe9f85443dff541391b24381c4c39a4fc8727120d
SHA512024baf100e11ea53af0bf3dec768ced839c1ba9a23c0f66aa0f3c336be63e90c7e8cb4c19a12b4d9381fe971ea886fb1f69ea8ec8d369c2521a779c3b80b93fa