Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 16:10
Behavioral task
behavioral1
Sample
de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
Resource
win10v2004-20221111-en
General
-
Target
de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
-
Size
83KB
-
MD5
42d68211aeb022610c8c622f94683651
-
SHA1
5b336158cfc04c95238c1502eabc8db76a90e112
-
SHA256
de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc
-
SHA512
2b4051a1c9732141098410e70e072d22341bd312eaed2880aa7d35197902da38d034f694e989ebfdafc96c3e638f3fb2d4dcdbbb58d05505ac6c506971b0706f
-
SSDEEP
1536:8nHfhdq/LWoxOxjW2Slcnouy8oMgJKTOMlmx:aHuDtxGG8outTgJKCMgx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1056 Acrobat.exe -
resource yara_rule behavioral2/memory/4420-132-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/files/0x0008000000022df9-137.dat upx behavioral2/files/0x0008000000022df9-138.dat upx behavioral2/memory/1056-142-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe File opened (read-only) \??\B: de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe File opened (read-only) \??\E: de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Windows.Manifest Acrobat.exe -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TYPEDURLS de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2044 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 1056 Acrobat.exe 1056 Acrobat.exe 1056 Acrobat.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4420 wrote to memory of 2488 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 98 PID 4420 wrote to memory of 2488 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 98 PID 4420 wrote to memory of 2488 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 98 PID 4420 wrote to memory of 1056 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 99 PID 4420 wrote to memory of 1056 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 99 PID 4420 wrote to memory of 1056 4420 de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe 99 PID 2488 wrote to memory of 2044 2488 cmd.exe 101 PID 2488 wrote to memory of 2044 2488 cmd.exe 101 PID 2488 wrote to memory of 2044 2488 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe"C:\Users\Admin\AppData\Local\Temp\de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe"1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKCU\Software\yahoo\pager /v "Save Password" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\reg.exereg delete HKCU\Software\yahoo\pager /v "Save Password" /f3⤵
- Modifies registry key
PID:2044
-
-
-
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat.exe"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1056
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD542d68211aeb022610c8c622f94683651
SHA15b336158cfc04c95238c1502eabc8db76a90e112
SHA256de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc
SHA5122b4051a1c9732141098410e70e072d22341bd312eaed2880aa7d35197902da38d034f694e989ebfdafc96c3e638f3fb2d4dcdbbb58d05505ac6c506971b0706f
-
Filesize
83KB
MD542d68211aeb022610c8c622f94683651
SHA15b336158cfc04c95238c1502eabc8db76a90e112
SHA256de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc
SHA5122b4051a1c9732141098410e70e072d22341bd312eaed2880aa7d35197902da38d034f694e989ebfdafc96c3e638f3fb2d4dcdbbb58d05505ac6c506971b0706f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD52e8dab0111c5f3e9103cae92a9e1cdaa
SHA15d16362cf320faeacf5963532354e99e0dce3e2b
SHA256858dfc9a9af2e0400a91bf3660acb1a123960c5ad53df61b7f73663035e01ba8
SHA512ee28bf368690e56ada1fc8538330cc22cb57a59a1a5012e73d3e0300dc7410b82f8c2a300625560e69bc19344acc333b2138ec49ca5ddf5f24a54debce685abb
-
Filesize
506B
MD537c10f2bde92a7126e4e1a44c73c5d31
SHA1934121e8fa137a7ee135e6955cac5f31301b23f9
SHA256686ab30b2fd395912abec41b17f8b29dc37389393c38c364186fcd69cf573e95
SHA5124f3800b069253d81c611ed2c4be7a2456acb0af3c4d31be9b8c465ab1c99f11b2fc6c35263b7d7c7cb411bc01e7c18a1ecd11676050204feaea7597cac7dc06a
-
Filesize
472B
MD550964d71646920295f4a98db21a913c1
SHA18ede97a36ce131830b2a69f6225790dbd3f2ef8e
SHA256aa282f0e5e4ab3690472c8c867419ea33a4fafba1594722e8ca9dcf1325fd46a
SHA51202c8543fc6b930a0e43727a7614edf92143701c9c81c1452faa2104cb5310c2b0b25c8d441dcac7b9e695b6e64e019d3bede3be20bede395d895e57c4da261aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD542060c254ce537d681afdc4a199c7009
SHA124129420e1babdc45ebe03c1b654502eb9b88596
SHA2565d1fe4580097ccadc9576da58f49f07c9d683529bf96de7e932f95363ca0fd22
SHA51244a7f1db940cc6e494337f6c52dc624cad1fb44281662744f4b69a1f258ca10a74032efe69e61f9bd41e2fb71b5d54ec2a2cf9725e332ea44e9d89ce0d6e57fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize248B
MD50dcace0d7070e8d60e3ea079040f19a2
SHA1a127629275c9d6ff2cc0cbf7e8c20cf7f44f8915
SHA256a05e2bfdf9f5ab312283d0a24a41ddb73596ab5f01ea3b3cd39fdd08eed55252
SHA512dad9aac5add63ff7d286d048d43f76c606352b4c3d1244ec75b856f7581a6a4e374e43ce4bd36fc063be6724e1b712066ee27ecaf9cbcad209754f8350d20dc3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71
Filesize484B
MD59f7fcf33c46d41db998ad02f4d3d6552
SHA11e9e60962f603baee109597faa0f5137787e82d7
SHA25686d098afca28dc3345fa438b03affe785315d63b9e6916c6399157aab0677e22
SHA5128adf31095731bcfa75953d0af828b2fc8369d7e09544e2de30e50ff4a669557fcbf735e62f136619d88f7d9284e0250e8327d9a3d4caed5827c9edec34ab0004