Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
AdobeReader 10.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
AdobeReader 10.exe
Resource
win10v2004-20240802-en
General
-
Target
AdobeReader 10.exe
-
Size
45.7MB
-
MD5
4b2f2dd39efca7ab7d69ad6735a26ffc
-
SHA1
3d5b75ae4bd60262aaacfb35c852e31dd8ade37f
-
SHA256
666859e6c3724513d033e3197dc7efb8736f690eb15603210813a9e5b761d2c7
-
SHA512
56b6554f24746f18d742f962f6635649318d0dfaff399853814e4fff22efe9f141eb3bb6455f240fdd9e5eeebf324b0771e3dab3b0b0e18a193180b395fcdfb4
-
SSDEEP
786432:nUKocG8JHLygNDq4dIQO6kOm256ddCpTe50HWS3Burn0AwdokgFLSw3:RocfLtNDMQDYBXEe0HWJ0A17Sk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3828 setup.exe -
Loads dropped DLL 2 IoCs
pid Process 3732 MsiExec.exe 3732 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 21 848 msiexec.exe 24 848 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeReader 10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 848 msiexec.exe Token: SeIncreaseQuotaPrivilege 848 msiexec.exe Token: SeSecurityPrivilege 4728 msiexec.exe Token: SeCreateTokenPrivilege 848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 848 msiexec.exe Token: SeLockMemoryPrivilege 848 msiexec.exe Token: SeIncreaseQuotaPrivilege 848 msiexec.exe Token: SeMachineAccountPrivilege 848 msiexec.exe Token: SeTcbPrivilege 848 msiexec.exe Token: SeSecurityPrivilege 848 msiexec.exe Token: SeTakeOwnershipPrivilege 848 msiexec.exe Token: SeLoadDriverPrivilege 848 msiexec.exe Token: SeSystemProfilePrivilege 848 msiexec.exe Token: SeSystemtimePrivilege 848 msiexec.exe Token: SeProfSingleProcessPrivilege 848 msiexec.exe Token: SeIncBasePriorityPrivilege 848 msiexec.exe Token: SeCreatePagefilePrivilege 848 msiexec.exe Token: SeCreatePermanentPrivilege 848 msiexec.exe Token: SeBackupPrivilege 848 msiexec.exe Token: SeRestorePrivilege 848 msiexec.exe Token: SeShutdownPrivilege 848 msiexec.exe Token: SeDebugPrivilege 848 msiexec.exe Token: SeAuditPrivilege 848 msiexec.exe Token: SeSystemEnvironmentPrivilege 848 msiexec.exe Token: SeChangeNotifyPrivilege 848 msiexec.exe Token: SeRemoteShutdownPrivilege 848 msiexec.exe Token: SeUndockPrivilege 848 msiexec.exe Token: SeSyncAgentPrivilege 848 msiexec.exe Token: SeEnableDelegationPrivilege 848 msiexec.exe Token: SeManageVolumePrivilege 848 msiexec.exe Token: SeImpersonatePrivilege 848 msiexec.exe Token: SeCreateGlobalPrivilege 848 msiexec.exe Token: SeCreateTokenPrivilege 848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 848 msiexec.exe Token: SeLockMemoryPrivilege 848 msiexec.exe Token: SeIncreaseQuotaPrivilege 848 msiexec.exe Token: SeMachineAccountPrivilege 848 msiexec.exe Token: SeTcbPrivilege 848 msiexec.exe Token: SeSecurityPrivilege 848 msiexec.exe Token: SeTakeOwnershipPrivilege 848 msiexec.exe Token: SeLoadDriverPrivilege 848 msiexec.exe Token: SeSystemProfilePrivilege 848 msiexec.exe Token: SeSystemtimePrivilege 848 msiexec.exe Token: SeProfSingleProcessPrivilege 848 msiexec.exe Token: SeIncBasePriorityPrivilege 848 msiexec.exe Token: SeCreatePagefilePrivilege 848 msiexec.exe Token: SeCreatePermanentPrivilege 848 msiexec.exe Token: SeBackupPrivilege 848 msiexec.exe Token: SeRestorePrivilege 848 msiexec.exe Token: SeShutdownPrivilege 848 msiexec.exe Token: SeDebugPrivilege 848 msiexec.exe Token: SeAuditPrivilege 848 msiexec.exe Token: SeSystemEnvironmentPrivilege 848 msiexec.exe Token: SeChangeNotifyPrivilege 848 msiexec.exe Token: SeRemoteShutdownPrivilege 848 msiexec.exe Token: SeUndockPrivilege 848 msiexec.exe Token: SeSyncAgentPrivilege 848 msiexec.exe Token: SeEnableDelegationPrivilege 848 msiexec.exe Token: SeManageVolumePrivilege 848 msiexec.exe Token: SeImpersonatePrivilege 848 msiexec.exe Token: SeCreateGlobalPrivilege 848 msiexec.exe Token: SeCreateTokenPrivilege 848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 848 msiexec.exe Token: SeLockMemoryPrivilege 848 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 848 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3548 AdobeReader 10.exe 3548 AdobeReader 10.exe 3548 AdobeReader 10.exe 3828 setup.exe 3828 setup.exe 3828 setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3548 wrote to memory of 3828 3548 AdobeReader 10.exe 92 PID 3548 wrote to memory of 3828 3548 AdobeReader 10.exe 92 PID 3548 wrote to memory of 3828 3548 AdobeReader 10.exe 92 PID 3828 wrote to memory of 848 3828 setup.exe 93 PID 3828 wrote to memory of 848 3828 setup.exe 93 PID 3828 wrote to memory of 848 3828 setup.exe 93 PID 4728 wrote to memory of 3732 4728 msiexec.exe 97 PID 4728 wrote to memory of 3732 4728 msiexec.exe 97 PID 4728 wrote to memory of 3732 4728 msiexec.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdobeReader 10.exe"C:\Users\Admin\AppData\Local\Temp\AdobeReader 10.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe"C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe" /msi DISABLE_CACHE=12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AcroRead.msi" DISABLE_CACHE=1 REBOOT="ReallySuppress" PATCH="C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AdbeRdrUpd1001_Tier2.msp"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:848
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A82587CAFAF60182E482B3B8AF37F4EC C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e50f582a84c800ed8919f84c77332ca
SHA15c818feb6ec42660b894a9641002874241ab865f
SHA2562c3dfca37d2618d54781b65d12ad25651eef1f6b321808826e5c22acc0fe2901
SHA5127b7e45303881b77d33f844eb76937ac0c021d626b15eb11843cb0478fa218b85ed7781c0c612e7b113decc299ebc63c466b9bde197b80500568c4f0c2dd7db3e
-
Filesize
2.2MB
MD5dffe2c18cb45ee1557463633fa060df1
SHA1668d1cb4ab20ed085c215e8cd815521686ebc32b
SHA2560579d853b52f854eb6257b86465b70ec6d9317a2733bf38adc95b8bfb178f20d
SHA5124a797e53450f5ece0bb9ad47a8894b8938bc37ca60d0c3ba9aee715f7999bacc9dd107f8aad34bbe2fc35e0fda719d438bcd4a2f71bc7af362cba4b66090e1fc
-
Filesize
12.0MB
MD5f4158dfce3aa1b3da5469f2b34c40248
SHA185960f7b30096c81b38794c34bc4fa0970807421
SHA256e7336642f0c1e08bee66470d9409fc0f71e93c8eec7c925fac89c397baa8dede
SHA5129658f887a97bfaaa6d307b2d0f38edfc7355d9066f05b33ce05d748c9473cce2e95eb60255ea40a314b199011a28ab4fb29e0a2128d31aad5ea51b64f4e4f6a3
-
Filesize
212B
MD57bb337959d26a4dd4a18c311cffc94f8
SHA156884ac3ca54b8d1cb4d6b2e9ec51cc1248c50c9
SHA25671bf727c4976dccd39628d1e71fbdb1de69da8cee6eae8f76e320ffd4668586b
SHA5125c844292e359767f005c7f9b6505debbddad6b6388333d0b9fbe06c09c590f4a7f22e3e53245dbf06f8e2bc3987dd818738f7a7da4b7ad8e595ce0ed6d9f9e74
-
Filesize
329KB
MD5298b89d914f1a0a5a75c48a5ae9b75b9
SHA1fe9f329d755e4d42ae5140e31875a9ea989043a5
SHA2560ac3d080d42d4d1bde82bd0b20883e5fb5e7ed9d287f51dfda0b3ce6f9f83557
SHA512f0e2ad4b706ea88c1f84ae5b604093f75ff295e6e7ca48a78ec62efc31a6def4ce8c8421791a2082c47ec153ba6db31a72aa7841b99db8da9bfb6eb3b02a90a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
3KB
MD530c61a855268759e06a28a85c4e43808
SHA18fbb462eac7026a2cb61ed59b117a168b896c783
SHA256f1cb73c52a99d86ee2525499c7cc5bd2f66046038154caa2d2e41f261951656b
SHA512683ba39f98a4425f0fa8d256b1d8f9f4e5821f9be2d0c9f94d80677e3384f47afe9833f4683d857eb7cb2053d6a8414991777d2a60729bee2cf27bbab745e80f
-
Filesize
52KB
MD54a908ee9c6f2f4aad63382cccee731e4
SHA1e572580949f277987fe232757ce88c2ac35e0223
SHA256459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e
SHA51275ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f
-
Filesize
75KB
MD50c6864f73134ebdacf4458c7a2c3251f
SHA199cc4dd14f972dd58badc51ed9001dbcdb80e938
SHA256862ad396ee52836a9b7a8f8142a177875f79c81964b542c3168dd8b242e19a23
SHA51278048337cbdb4f7cd900366348537c80dbd9135c9a79b220895d77a494317258fc1a8ec5f7225e6652a8f44a9a2d1253a65af735a451f842d47d30376c0eb089