Analysis
-
max time kernel
82s -
max time network
138s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
31-05-2020 06:47
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation.PDF
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Confirmation.PDF
-
Size
36KB
-
MD5
db27b229546c0a5882acfe4e41093576
-
SHA1
1532d0361a7fcf31670b97ea00bbf3249cd83713
-
SHA256
885bd96ac8580fb9a330e0136fd76c7bff4793823a7436b94f3d36f136db6753
-
SHA512
104b293e3dab9d38bf2a3215a2fd309a06c439e17f8adfcdb64d2813586ad4834bc23a7d292331b32555c0b4394d3f3add5e30cd5f8b24266a2ad27054b8f115
Score
1/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe 3144 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3144 AcroRd32.exe -
Suspicious use of WriteProcessMemory 253 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3144 wrote to memory of 904 3144 AcroRd32.exe RdrCEF.exe PID 3144 wrote to memory of 904 3144 AcroRd32.exe RdrCEF.exe PID 3144 wrote to memory of 904 3144 AcroRd32.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1588 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe PID 904 wrote to memory of 1700 904 RdrCEF.exe RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Confirmation.PDF"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8822B7AEF8CFB322AF17FDEE26E2CC90 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5FF4763D860CE7BC6D71A1CCBE8B11FB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5FF4763D860CE7BC6D71A1CCBE8B11FB --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CD130688BE71E5EBD94525942C5F4A9C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CD130688BE71E5EBD94525942C5F4A9C --renderer-client-id=4 --mojo-platform-channel-handle=2084 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6ED8CD149ACAAB5C379324E3B123E44C --mojo-platform-channel-handle=1696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0FE7122D73FA0E41DF93166792D8633B --mojo-platform-channel-handle=1600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC56E365D0EBE4DAC96AA83E340F322E --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/728-14-0x0000000077D02000-0x0000000077D0200C-memory.dmpFilesize
12B
-
memory/1588-0-0x0000000077D02000-0x0000000077D0200C-memory.dmpFilesize
12B
-
memory/1700-2-0x0000000077D02000-0x0000000077D0200C-memory.dmpFilesize
12B
-
memory/2100-6-0x0000000077D02000-0x0000000077D0200C-memory.dmpFilesize
12B
-
memory/3416-12-0x0000000077D02000-0x0000000077D0200C-memory.dmpFilesize
12B
-
memory/3820-10-0x0000000077D02000-0x0000000077D0200C-memory.dmpFilesize
12B