Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/08/2024, 23:08

General

  • Target

    AdobeReader 10.exe

  • Size

    45.7MB

  • MD5

    4b2f2dd39efca7ab7d69ad6735a26ffc

  • SHA1

    3d5b75ae4bd60262aaacfb35c852e31dd8ade37f

  • SHA256

    666859e6c3724513d033e3197dc7efb8736f690eb15603210813a9e5b761d2c7

  • SHA512

    56b6554f24746f18d742f962f6635649318d0dfaff399853814e4fff22efe9f141eb3bb6455f240fdd9e5eeebf324b0771e3dab3b0b0e18a193180b395fcdfb4

  • SSDEEP

    786432:nUKocG8JHLygNDq4dIQO6kOm256ddCpTe50HWS3Burn0AwdokgFLSw3:RocfLtNDMQDYBXEe0HWJ0A17Sk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AdobeReader 10.exe
    "C:\Users\Admin\AppData\Local\Temp\AdobeReader 10.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe
      "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe" /msi DISABLE_CACHE=1
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe /i "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AcroRead.msi" DISABLE_CACHE=1 REBOOT="ReallySuppress" PATCH="C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AdbeRdrUpd1001_Tier2.msp"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:848
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A82587CAFAF60182E482B3B8AF37F4EC C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRAMDATA\ADOBE\SETUP\{AC76BA86-7AD7-1034-7B44-AA0000000001}\Abcpy.ini

    Filesize

    1KB

    MD5

    8e50f582a84c800ed8919f84c77332ca

    SHA1

    5c818feb6ec42660b894a9641002874241ab865f

    SHA256

    2c3dfca37d2618d54781b65d12ad25651eef1f6b321808826e5c22acc0fe2901

    SHA512

    7b7e45303881b77d33f844eb76937ac0c021d626b15eb11843cb0478fa218b85ed7781c0c612e7b113decc299ebc63c466b9bde197b80500568c4f0c2dd7db3e

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AcroRead.msi

    Filesize

    2.2MB

    MD5

    dffe2c18cb45ee1557463633fa060df1

    SHA1

    668d1cb4ab20ed085c215e8cd815521686ebc32b

    SHA256

    0579d853b52f854eb6257b86465b70ec6d9317a2733bf38adc95b8bfb178f20d

    SHA512

    4a797e53450f5ece0bb9ad47a8894b8938bc37ca60d0c3ba9aee715f7999bacc9dd107f8aad34bbe2fc35e0fda719d438bcd4a2f71bc7af362cba4b66090e1fc

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AdbeRdrUpd1001_Tier2.msp

    Filesize

    12.0MB

    MD5

    f4158dfce3aa1b3da5469f2b34c40248

    SHA1

    85960f7b30096c81b38794c34bc4fa0970807421

    SHA256

    e7336642f0c1e08bee66470d9409fc0f71e93c8eec7c925fac89c397baa8dede

    SHA512

    9658f887a97bfaaa6d307b2d0f38edfc7355d9066f05b33ce05d748c9473cce2e95eb60255ea40a314b199011a28ab4fb29e0a2128d31aad5ea51b64f4e4f6a3

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\Setup.ini

    Filesize

    212B

    MD5

    7bb337959d26a4dd4a18c311cffc94f8

    SHA1

    56884ac3ca54b8d1cb4d6b2e9ec51cc1248c50c9

    SHA256

    71bf727c4976dccd39628d1e71fbdb1de69da8cee6eae8f76e320ffd4668586b

    SHA512

    5c844292e359767f005c7f9b6505debbddad6b6388333d0b9fbe06c09c590f4a7f22e3e53245dbf06f8e2bc3987dd818738f7a7da4b7ad8e595ce0ed6d9f9e74

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe

    Filesize

    329KB

    MD5

    298b89d914f1a0a5a75c48a5ae9b75b9

    SHA1

    fe9f329d755e4d42ae5140e31875a9ea989043a5

    SHA256

    0ac3d080d42d4d1bde82bd0b20883e5fb5e7ed9d287f51dfda0b3ce6f9f83557

    SHA512

    f0e2ad4b706ea88c1f84ae5b604093f75ff295e6e7ca48a78ec62efc31a6def4ce8c8421791a2082c47ec153ba6db31a72aa7841b99db8da9bfb6eb3b02a90a2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9

    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

  • C:\Users\Admin\AppData\Local\Temp\22269\config.bin

    Filesize

    3KB

    MD5

    30c61a855268759e06a28a85c4e43808

    SHA1

    8fbb462eac7026a2cb61ed59b117a168b896c783

    SHA256

    f1cb73c52a99d86ee2525499c7cc5bd2f66046038154caa2d2e41f261951656b

    SHA512

    683ba39f98a4425f0fa8d256b1d8f9f4e5821f9be2d0c9f94d80677e3384f47afe9833f4683d857eb7cb2053d6a8414991777d2a60729bee2cf27bbab745e80f

  • C:\Users\Admin\AppData\Local\Temp\MSIA7B9.tmp

    Filesize

    52KB

    MD5

    4a908ee9c6f2f4aad63382cccee731e4

    SHA1

    e572580949f277987fe232757ce88c2ac35e0223

    SHA256

    459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e

    SHA512

    75ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f

  • C:\Users\Admin\AppData\Local\Temp\MSIA8A5.tmp

    Filesize

    75KB

    MD5

    0c6864f73134ebdacf4458c7a2c3251f

    SHA1

    99cc4dd14f972dd58badc51ed9001dbcdb80e938

    SHA256

    862ad396ee52836a9b7a8f8142a177875f79c81964b542c3168dd8b242e19a23

    SHA512

    78048337cbdb4f7cd900366348537c80dbd9135c9a79b220895d77a494317258fc1a8ec5f7225e6652a8f44a9a2d1253a65af735a451f842d47d30376c0eb089