Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:40
Behavioral task
behavioral1
Sample
05e3eeef03f3e2e2923f42b68c8287bd.pdf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
05e3eeef03f3e2e2923f42b68c8287bd.pdf
Resource
win10v2004-20231215-en
General
-
Target
05e3eeef03f3e2e2923f42b68c8287bd.pdf
-
Size
31KB
-
MD5
05e3eeef03f3e2e2923f42b68c8287bd
-
SHA1
119e66ef0bfada8c7fc9e525aeaf63cfbc107782
-
SHA256
be1e89cc91f483dde262d1187eee4bd30774b17c0513873474bab72751828423
-
SHA512
2f7f48ef150ded73159f976e5bc80da928955373188f238700fdce7c6e651638cf14c27bcbe61d571f7a8de1bec9c8ed4b7c776645d597296d7e0222444954ae
-
SSDEEP
768:Waur3/VEdvOiCwRwdYjX+u+lRg2Ak2lvjRkhpEzm5SgfiLZz2Nzlm7unX/s0H9lE:83/VEwKCsXD+lRg2Ak2lvjRkhpEzm5Sn
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3856 AcroRd32.exe 3856 AcroRd32.exe 3856 AcroRd32.exe 3856 AcroRd32.exe 3856 AcroRd32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3856 wrote to memory of 2176 3856 AcroRd32.exe 102 PID 3856 wrote to memory of 2176 3856 AcroRd32.exe 102 PID 3856 wrote to memory of 2176 3856 AcroRd32.exe 102 PID 3856 wrote to memory of 1984 3856 AcroRd32.exe 108 PID 3856 wrote to memory of 1984 3856 AcroRd32.exe 108 PID 3856 wrote to memory of 1984 3856 AcroRd32.exe 108
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\05e3eeef03f3e2e2923f42b68c8287bd.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:2176
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:1984
-