Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
50s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06/05/2023, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
AdobeUpdater.exe
Resource
win10-20230220-en
General
-
Target
AdobeUpdater.exe
-
Size
364KB
-
MD5
5324f596227a0869e6ca03c9bc728fc1
-
SHA1
43a60214ad227c5a1492ebe2925240bc18d94523
-
SHA256
22e6f18ee2c807c2585a4d53b94a96bd2a202d59e78d0ba2ee91132529c1ef59
-
SHA512
29d58615a6b8803e3d591df05de250139137298a86c6c1c8f04af8d3706a19bb090beca39870f981823d7d785b425f620344d79033d3547c313ba1de96cd8b43
-
SSDEEP
6144:CpRCf5DWJKGhPefkeN1Iozeh//rIkfVzR23yW542tSFBUDJUlqhH:ERa6LWfkFozeJrIKs9C2tk1q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3196 AdobeUpdater.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeHelper.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updater\\AdobeHelper.exe" AdobeUpdater.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3196 AdobeUpdater.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 2800 perfmon.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 2800 perfmon.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4292 taskmgr.exe Token: SeSystemProfilePrivilege 4292 taskmgr.exe Token: SeCreateGlobalPrivilege 4292 taskmgr.exe Token: SeDebugPrivilege 2800 perfmon.exe Token: SeSystemProfilePrivilege 2800 perfmon.exe Token: SeCreateGlobalPrivilege 2800 perfmon.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 2800 perfmon.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
pid Process 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2496 wrote to memory of 3196 2496 AdobeUpdater.exe 66 PID 2496 wrote to memory of 3196 2496 AdobeUpdater.exe 66 PID 4292 wrote to memory of 1444 4292 taskmgr.exe 68 PID 4292 wrote to memory of 1444 4292 taskmgr.exe 68 PID 1444 wrote to memory of 2800 1444 resmon.exe 69 PID 1444 wrote to memory of 2800 1444 resmon.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdobeUpdater.exe"C:\Users\Admin\AppData\Local\Temp\AdobeUpdater.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Adobe\Acrobat\Updater\AdobeUpdater.exe"C:\Users\Admin\AppData\Local\Adobe\Acrobat\Updater\AdobeUpdater.exe" C:\Users\Admin\AppData\Local\Temp\AdobeUpdater.exe2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3196
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\resmon.exe"C:\Windows\system32\resmon.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2800
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD55324f596227a0869e6ca03c9bc728fc1
SHA143a60214ad227c5a1492ebe2925240bc18d94523
SHA25622e6f18ee2c807c2585a4d53b94a96bd2a202d59e78d0ba2ee91132529c1ef59
SHA51229d58615a6b8803e3d591df05de250139137298a86c6c1c8f04af8d3706a19bb090beca39870f981823d7d785b425f620344d79033d3547c313ba1de96cd8b43
-
Filesize
364KB
MD55324f596227a0869e6ca03c9bc728fc1
SHA143a60214ad227c5a1492ebe2925240bc18d94523
SHA25622e6f18ee2c807c2585a4d53b94a96bd2a202d59e78d0ba2ee91132529c1ef59
SHA51229d58615a6b8803e3d591df05de250139137298a86c6c1c8f04af8d3706a19bb090beca39870f981823d7d785b425f620344d79033d3547c313ba1de96cd8b43
-
Filesize
364KB
MD55324f596227a0869e6ca03c9bc728fc1
SHA143a60214ad227c5a1492ebe2925240bc18d94523
SHA25622e6f18ee2c807c2585a4d53b94a96bd2a202d59e78d0ba2ee91132529c1ef59
SHA51229d58615a6b8803e3d591df05de250139137298a86c6c1c8f04af8d3706a19bb090beca39870f981823d7d785b425f620344d79033d3547c313ba1de96cd8b43