Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
168s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 01:19
Behavioral task
behavioral1
Sample
09e18e3209995232b859b9c1f2e4940b.pdf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
09e18e3209995232b859b9c1f2e4940b.pdf
Resource
win10v2004-20231215-en
General
-
Target
09e18e3209995232b859b9c1f2e4940b.pdf
-
Size
71KB
-
MD5
09e18e3209995232b859b9c1f2e4940b
-
SHA1
6602d08be3b139178e2d8ac6e35ae945d2a9c2b5
-
SHA256
957272b338b4d51c3495cadb04a77ff5face0bd49b608daab78e64ec41679955
-
SHA512
293d28cef706ffcbfa8aa2e2a34f944b078e8c87bf527b42c92c8ee88781c709b8e398b33d661efc5671473faf99e0bb0d76d6ff745f529208e0ebd61d7a89e8
-
SSDEEP
1536:hZgdl76t2RLcrZNQLpqNt3HJSpUTWJjSeWypOlL+X0d7i/Zy:38lutCMZGt+3JiTSflL6i7iI
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3712 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3712 AcroRd32.exe 3712 AcroRd32.exe 3712 AcroRd32.exe 3712 AcroRd32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3712 wrote to memory of 3424 3712 AcroRd32.exe 109 PID 3712 wrote to memory of 3424 3712 AcroRd32.exe 109 PID 3712 wrote to memory of 3424 3712 AcroRd32.exe 109 PID 3712 wrote to memory of 4492 3712 AcroRd32.exe 112 PID 3712 wrote to memory of 4492 3712 AcroRd32.exe 112 PID 3712 wrote to memory of 4492 3712 AcroRd32.exe 112
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\09e18e3209995232b859b9c1f2e4940b.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:3424
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:4492
-