Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2023, 23:02
Behavioral task
behavioral1
Sample
Photoshop-2023-Windows-24-1-1-es.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Photoshop-2023-Windows-24-1-1-es.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20230220-en
General
-
Target
Photoshop-2023-Windows-24-1-1-es.exe
-
Size
2.7MB
-
MD5
ec858a1ee9f40e1ada7ebfb416ed5395
-
SHA1
f280617f79d23e9b7b899485987cd7a9188ec198
-
SHA256
c09c6a33c56331d6113ebd3100ea2a6c5efabe79b2cd233729bead18a028a632
-
SHA512
ed95d6bc80376cb97efc126ab5c9f7ef2562f2218cc2f26152c85f784c6c9207068fd2af7283e10d332783808b6cd6ce11975669e8e6c3e44e0a41b4f81fdec3
-
SSDEEP
49152:aGTEMisXVCgvAZ6X/b5Bvd11LkrgCuygbwEF2m8o:aGIMis04Agz5/L8jk5
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3368-144-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-191-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-243-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-245-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-266-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-268-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-269-0x0000000000550000-0x0000000000E38000-memory.dmp upx behavioral2/memory/3368-273-0x0000000000550000-0x0000000000E38000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Photoshop-2023-Windows-24-1-1-es.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Photoshop-2023-Windows-24-1-1-es.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Photoshop-2023-Windows-24-1-1-es.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Photoshop-2023-Windows-24-1-1-es.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Photoshop-2023-Windows-24-1-1-es.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Photoshop-2023-Windows-24-1-1-es.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Photoshop-2023-Windows-24-1-1-es.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48" Photoshop-2023-Windows-24-1-1-es.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Photoshop-2023-Windows-24-1-1-es.exe = "11001" Photoshop-2023-Windows-24-1-1-es.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage Photoshop-2023-Windows-24-1-1-es.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1" Photoshop-2023-Windows-24-1-1-es.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total Photoshop-2023-Windows-24-1-1-es.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48" Photoshop-2023-Windows-24-1-1-es.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Photoshop-2023-Windows-24-1-1-es.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com Photoshop-2023-Windows-24-1-1-es.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com Photoshop-2023-Windows-24-1-1-es.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com Photoshop-2023-Windows-24-1-1-es.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com\ = "48" Photoshop-2023-Windows-24-1-1-es.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3368 Photoshop-2023-Windows-24-1-1-es.exe Token: SeIncreaseQuotaPrivilege 3368 Photoshop-2023-Windows-24-1-1-es.exe Token: SeIncreaseQuotaPrivilege 3368 Photoshop-2023-Windows-24-1-1-es.exe Token: SeIncreaseQuotaPrivilege 3368 Photoshop-2023-Windows-24-1-1-es.exe Token: SeIncreaseQuotaPrivilege 3368 Photoshop-2023-Windows-24-1-1-es.exe Token: SeIncreaseQuotaPrivilege 3368 Photoshop-2023-Windows-24-1-1-es.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3368 Photoshop-2023-Windows-24-1-1-es.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3368 Photoshop-2023-Windows-24-1-1-es.exe 3368 Photoshop-2023-Windows-24-1-1-es.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Photoshop-2023-Windows-24-1-1-es.exe"C:\Users\Admin\AppData\Local\Temp\Photoshop-2023-Windows-24-1-1-es.exe"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD51e8ea7921995658527791b2ebdea630b
SHA1bbfa6c544cbcd4da34afedfd69f125f9a9a6cfea
SHA25663f61355dfb9df94f87cd36cc7c2d46d29c9468059a61a9992a2a5d442a41520
SHA5120f0f28f6b4274ac0698a816a90d57d1c292d056dd5b814541434cd8d83a476076fb463992c72248e56a729c9f6983cf1cf4eef7ea978c581206b229fa10e04e7
-
Filesize
1.2MB
MD5e7270a034f4d24d41112e8480c64713e
SHA14dd1df35aff308917b344b0f630f64863bd34c40
SHA256181b14ad0eda3af13306e54a7a5045fce9ab42c1325d7c4e2ebd61d3308d7430
SHA51206ac7c119ce36e0e53d25e8beab05f05cbe719859d3a07b4fbd9821e4ea47ec3fa1646ca5d4da2f17592888a5a1af64e784ddf8c3b829b539c93a270dc8db854
-
Filesize
426B
MD5a28ab17b18ff254173dfeef03245efd0
SHA1c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA5129371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6