Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 18:51

General

  • Target

    14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe

  • Size

    622KB

  • MD5

    4b025c5ceb5fca6da9bc97826731662e

  • SHA1

    0007aee151ee1c121ae495cb1a748b0cbdc12bd7

  • SHA256

    14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8

  • SHA512

    438517b2fd026079385958fdf477f5bf85b8290253c47c876e99810805d2b05bf37eef9f9ca7e5a6c7dd6f540a56d4c4d258c36c1b58c6cdd097c0adc4d1b0e3

  • SSDEEP

    12288:6Sq7BGgknkKQ/+AgEwDO4EwF2eNQ7m1C1+u88:6SWBhknJQ/+kMNh1w+O

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
    "C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe
      "C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2208
    • C:\Program Files (x86)\Adobe\acrotray.exe
      "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Program Files (x86)\Adobe\acrotray.exe
        "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1124
      • C:\Program Files (x86)\Adobe\acrotray .exe
        "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Program Files (x86)\Adobe\acrotray .exe
          "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\14b86f70c28d4aab03957c0c643d197aea7d04afe9b1c73f0e7d6baf3acf39d8.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4088
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4808
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3796
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17416 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:768
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17424 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\acrotray .exe

    Filesize

    637KB

    MD5

    a592fbe2d3f2553332281ff1f9ff1bed

    SHA1

    41dc03f1ab390225530cc17bb013986ed1e36eae

    SHA256

    c507abb3bf4b292a0412513215e89464386496cb3316651e34c0b5b4797b0c75

    SHA512

    308cfbf9cd77040f8e9515ae21bf29b987e184bcaa475b6d249f2e92d9707e5d7eba3d753763c7ab2cae22572ae8422be390e555ceced20ca08f2612a8c23d26

  • C:\Program Files (x86)\Adobe\acrotray.exe

    Filesize

    627KB

    MD5

    290c452fed2e3c9736763e6aa099999b

    SHA1

    9c60e0ca87253dcf7b75d5e35fe5705a37e4ab02

    SHA256

    05f9ae8c8222d25556cffba558cfceecb39804e095dce42c63cf768b6b671ec9

    SHA512

    c702ac90be43455a5ff65cef16225a97b461dd73e16bb8bf9c317297636ec446d19d32061d7989144ddf6d01f25f0f0fa8a628278aa9ba58e3013acb1395b6b7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4OVS68NE\bCdjkJtSL[1].js

    Filesize

    33KB

    MD5

    285520bc859a840449187cc43864a1cb

    SHA1

    3d85ac9801d3cc9a3577bc6f6ef3c754d2677dff

    SHA256

    ac8e37a73437f2c13789726ea053c21fcdfd485896aabd6498702064968e34da

    SHA512

    7d99e9b95ed4fdc8a510b3830e7948be99d55edfac91ec71c4c7e534176a25ebe48c1955dc39a950f1a3322ef7d18910048c16492ebb9ff54d517a294602d6a5

  • memory/3660-0-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB