revengerat | 8c61ba7b253707486b186d4cb87add887f6e0d47a82818a0c17f38a1283b28a8

General

Target

ac31a6e33a56b45bdd8cfd2adf58c123.exe
Size

210KB
MD5

ac31a6e33a56b45bdd8cfd2adf58c123
SHA1

2cb2aebfab91b987f6a820bbf91a15ea9855b937
SHA256

8c61ba7b253707486b186d4cb87add887f6e0d47a82818a0c17f38a1283b28a8
SHA512

51a96ceba6ef87a5e9e937648f2d85c535ff1a66ccbde6316485f967db672ac638ebddfb2f59e263b0429c43626fc93e7f779f080a18eec1d3311544d5773030

Score

10^/10

revengerat nyancatrevenge trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

194.5.99.181:4452

Mutex

eac1ab2a222

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Executes dropped EXE 1 IoCs

Processes:

Jjjmzioi.exe

pid process

744 Jjjmzioi.exe

pid	process
744	Jjjmzioi.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

ac31a6e33a56b45bdd8cfd2adf58c123.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	ac31a6e33a56b45bdd8cfd2adf58c123.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3208 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exeAcroRd32.exe

pid process

3208 AcroRd32.exe
3148 AcroRd32.exe
3208 AcroRd32.exe
3208 AcroRd32.exe
3208 AcroRd32.exe
3208 AcroRd32.exe

Suspicious use of WriteProcessMemory 308 IoCs

Processes:

ac31a6e33a56b45bdd8cfd2adf58c123.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 576 wrote to memory of 744	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 576 wrote to memory of 744	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 576 wrote to memory of 744	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 576 wrote to memory of 3208	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 576 wrote to memory of 3208	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 576 wrote to memory of 3208	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 576 wrote to memory of 3148	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 576 wrote to memory of 3148	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 576 wrote to memory of 3148	576	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 3208 wrote to memory of 2652	3208	AcroRd32.exe	RdrCEF.exe
PID 3208 wrote to memory of 2652	3208	AcroRd32.exe	RdrCEF.exe
PID 3208 wrote to memory of 2652	3208	AcroRd32.exe	RdrCEF.exe
PID 3208 wrote to memory of 2316	3208	AcroRd32.exe	RdrCEF.exe
PID 3208 wrote to memory of 2316	3208	AcroRd32.exe	RdrCEF.exe
PID 3208 wrote to memory of 2316	3208	AcroRd32.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 3524	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe
PID 2652 wrote to memory of 1804	2652	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\ac31a6e33a56b45bdd8cfd2adf58c123.exe
"C:\Users\Admin\AppData\Local\Temp\ac31a6e33a56b45bdd8cfd2adf58c123.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe
"C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe"
2⤵
- Executes dropped EXE
PID:744

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nbgoyjcv.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=052EB01B6DC2B349B510171A8A128FDB --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F082FB0899411768591CB68BA6828355 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F082FB0899411768591CB68BA6828355 --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=41DE29B623FFD6AFB9BC3495964D37E8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=41DE29B623FFD6AFB9BC3495964D37E8 --renderer-client-id=4 --mojo-platform-channel-handle=2212 --allow-no-sandbox-job /prefetch:1
4⤵
PID:768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CD47FB53BD90C499611387BDE53852C6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CD47FB53BD90C499611387BDE53852C6 --renderer-client-id=5 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1348

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=11B328B4B06660A20530CACC3E9BFD1A --mojo-platform-channel-handle=2708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE76E26170F8DE1A5641BB9130A6A64B --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B5AAE0263B95B56C814D5D7454CE93B --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1264

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:2316

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Tcfoxfw.pdf"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe
MD5
40edbaf0a7ce2851f0883e49ee1db609

SHA1
40c95af209d9af0cac0de6de62e796a6b9603d8e

SHA256
6457a3a6a96adf2e24c3ce600928e006c50cd90eee46f73146c3507287ba9bc7

SHA512
a0c9d3f38d885e6a2ee0ed157887415f16108e9c26c5a3b2bbd54b51fcf3931d0f6a895edf3313146b1813f7351582bba7adb5cfc22df6169cc892fb4bf0b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe
MD5
40edbaf0a7ce2851f0883e49ee1db609

SHA1
40c95af209d9af0cac0de6de62e796a6b9603d8e

SHA256
6457a3a6a96adf2e24c3ce600928e006c50cd90eee46f73146c3507287ba9bc7

SHA512
a0c9d3f38d885e6a2ee0ed157887415f16108e9c26c5a3b2bbd54b51fcf3931d0f6a895edf3313146b1813f7351582bba7adb5cfc22df6169cc892fb4bf0b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nbgoyjcv.pdf
MD5
7495261386e5a072f068cbdae39d91e5

SHA1
b08800cad2f8d90a58feb45c3400e137ab31eb23

SHA256
1bb04a78b1f43adcef42947ede15aa292f8bf75629d1cecb64e8cf7d713147ab

SHA512
f38cc029ec05f42891ce049f4db1aaf1e5409612fc38afcab6eb9ce2fc9ddf7f1d350b4bdb2d9dd34d4a37257df8e7854caf9f86fd4547b645797a3cee1e347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcfoxfw.pdf
MD5
ce5c8a69fc77843a6fdd39f2c30524dc

SHA1
e4f84b7d4703c381acef1646bf67bd3a2a0d4d08

SHA256
89ef629ae460cce80ce153f831d814c6031e20d2d8b8671130414f7b9c41ed3d

SHA512
dc76a9fc2b9ccd19dfe24de9b5baffeb1a376789ccf8e942d9013d3e3902f468e6aecc1db38c04f0295afba5ef92317ba30bc0f1ad8e959265897d8d5ab4e4d9

Download Submit
memory/576-3-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/576-2-0x00007FFE9A910000-0x00007FFE9B2FC000-memory.dmp

Filesize
9.9MB

Download
memory/744-5-0x0000000000000000-mapping.dmp

Download
memory/768-22-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/768-23-0x0000000000000000-mapping.dmp

Download
memory/1264-39-0x0000000000000000-mapping.dmp

Download
memory/1264-38-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/1348-28-0x0000000000000000-mapping.dmp

Download
memory/1348-27-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/1804-18-0x0000000000000000-mapping.dmp

Download
memory/1804-17-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/2316-13-0x0000000000000000-mapping.dmp

Download
memory/2652-12-0x0000000000000000-mapping.dmp

Download
memory/3148-8-0x0000000000000000-mapping.dmp

Download
memory/3208-7-0x0000000000000000-mapping.dmp

Download
memory/3524-14-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/3524-15-0x0000000000000000-mapping.dmp

Download
memory/3564-35-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/3564-36-0x0000000000000000-mapping.dmp

Download
memory/3996-32-0x0000000077392000-0x000000007739200C-memory.dmp

Filesize
12B

Download
memory/3996-33-0x0000000000000000-mapping.dmp

Download

pid	process
3208	AcroRd32.exe
3148	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe
3208	AcroRd32.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads