Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-10-2021 05:01
Behavioral task
behavioral1
Sample
INVITATION_2021105911.pdf
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVITATION_2021105911.pdf
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
INVITATION_2021105911.pdf
-
Size
268KB
-
MD5
79935cfcd2953e43de3f68c2a57d2d7c
-
SHA1
93694340e29f27bd76a752a1c630a6ce36d9a077
-
SHA256
9d70b56e9fdb6bc09ed61c55cc58f29730d3ab6545822f7c452ce973a95b959c
-
SHA512
eb6465c07f1217e5feded59410d9a422a5a2b8607a073997f9efff7c0fb15576ad68a62a20e55c63422f3cbbb9a6e5a49d1d6fab7b8b5c61bb4523b6ad1af2bc
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4060 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe 4060 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4060 wrote to memory of 480 4060 AcroRd32.exe RdrCEF.exe PID 4060 wrote to memory of 480 4060 AcroRd32.exe RdrCEF.exe PID 4060 wrote to memory of 480 4060 AcroRd32.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 420 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe PID 480 wrote to memory of 608 480 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\INVITATION_2021105911.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E34D741B7C1BF78C69565A085F119EDB --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=636FC2B4D8D90D6956A980E30BC366A3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=636FC2B4D8D90D6956A980E30BC366A3 --renderer-client-id=2 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=86F75F2EDBC01DF8F4170C2D99E3F6EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=86F75F2EDBC01DF8F4170C2D99E3F6EE --renderer-client-id=4 --mojo-platform-channel-handle=2088 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20C88DFDC595637866B63A4A0BF8E06E --mojo-platform-channel-handle=2472 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=485DE42CF70E53FD123802A0FD28F5B9 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B1BC7F0ED00AE43A20708A6827F03DE3 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/420-118-0x00000000015D0000-0x00000000015D1000-memory.dmpFilesize
4KB
-
memory/420-117-0x0000000000000000-mapping.dmp
-
memory/420-116-0x00000000019A6000-0x00000000019A7000-memory.dmpFilesize
4KB
-
memory/420-115-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/480-114-0x0000000000000000-mapping.dmp
-
memory/608-120-0x00000000007F3000-0x00000000007F4000-memory.dmpFilesize
4KB
-
memory/608-121-0x0000000000000000-mapping.dmp
-
memory/608-123-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/608-124-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/608-119-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/1180-135-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/1180-137-0x0000000000000000-mapping.dmp
-
memory/1180-136-0x00000000019A4000-0x00000000019A5000-memory.dmpFilesize
4KB
-
memory/1348-126-0x0000000000913000-0x0000000000914000-memory.dmpFilesize
4KB
-
memory/1348-127-0x0000000000000000-mapping.dmp
-
memory/1348-125-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/2428-132-0x00000000019A9000-0x00000000019AA000-memory.dmpFilesize
4KB
-
memory/2428-133-0x0000000000000000-mapping.dmp
-
memory/2428-131-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/3644-139-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/3644-140-0x00000000015EA000-0x00000000015EB000-memory.dmpFilesize
4KB
-
memory/3644-141-0x0000000000000000-mapping.dmp