Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 10:07
Behavioral task
behavioral1
Sample
155ed567c226f156396c603a75b246a3.pdf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
155ed567c226f156396c603a75b246a3.pdf
Resource
win10v2004-20231215-en
General
-
Target
155ed567c226f156396c603a75b246a3.pdf
-
Size
91KB
-
MD5
155ed567c226f156396c603a75b246a3
-
SHA1
b5e5f0fa710d7650dfc3d1245e06afaab5cbbe1c
-
SHA256
cb19ecace3adf8a2f765c4bf495c5c61a6e09eaf7709505c2436d8c9542ff72d
-
SHA512
02ad4375c0c80b01fb62146de7bdbb33547d02c5dfe6246e99acfe1bc87271711d76d2ca2a898438d4f725bd96afb97ac0a2be82840bb30bfad7d2a57073685e
-
SSDEEP
1536:bWB6etbFbsvBlWiZeEOmY5nkWY4HIoWGzPunsF4QoDTVVmyzWQpOCSZ2:e3JFbW3Ze9mWnk7JWzgRQoD/myeC9
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4968 AcroRd32.exe 4968 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4968 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4968 wrote to memory of 396 4968 AcroRd32.exe 108 PID 4968 wrote to memory of 396 4968 AcroRd32.exe 108 PID 4968 wrote to memory of 396 4968 AcroRd32.exe 108 PID 4968 wrote to memory of 1756 4968 AcroRd32.exe 109 PID 4968 wrote to memory of 1756 4968 AcroRd32.exe 109 PID 4968 wrote to memory of 1756 4968 AcroRd32.exe 109 PID 4968 wrote to memory of 1048 4968 AcroRd32.exe 110 PID 4968 wrote to memory of 1048 4968 AcroRd32.exe 110 PID 4968 wrote to memory of 1048 4968 AcroRd32.exe 110
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\155ed567c226f156396c603a75b246a3.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:396
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:1756
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:1048
-