NEW_DESIGN_2021108215.pdf

General
Target

NEW_DESIGN_2021108215.pdf

Filesize

185KB

Completed

14-10-2021 05:06

Score
1/10
MD5

0bbe6d2e37b168d8c5cdc98eec178948

SHA1

aaf8390b6b6444918b4d15cfefe1f2684ba12f16

SHA256

080c0d2265ddda3db659b17ac5485dde0e2340144aed78d72d3395452ae76137

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Checks processor information in registry
    AcroRd32.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0AcroRd32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzAcroRd32.exe
  • Modifies Internet Explorer settings
    AcroRd32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONAcroRd32.exe
  • Suspicious behavior: EnumeratesProcesses
    AcroRd32.exe

    Reported IOCs

    pidprocess
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
  • Suspicious use of FindShellTrayWindow
    AcroRd32.exe

    Reported IOCs

    pidprocess
    1688AcroRd32.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exe

    Reported IOCs

    pidprocess
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
    1688AcroRd32.exe
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeRdrCEF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1688 wrote to memory of 13401688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 13401688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 13401688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 5161688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 5161688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 5161688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 35841688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 35841688AcroRd32.exeRdrCEF.exe
    PID 1688 wrote to memory of 35841688AcroRd32.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 9083584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
    PID 3584 wrote to memory of 11683584RdrCEF.exeRdrCEF.exe
Processes 11
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NEW_DESIGN_2021108215.pdf"
    Checks processor information in registry
    Modifies Internet Explorer settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      PID:1340
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      PID:516
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=30CE27F0F231E69C3DD86DF7C6D46AC4 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:908
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=83F734FA9B77B79F6DA375822CA13514 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=83F734FA9B77B79F6DA375822CA13514 --renderer-client-id=2 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job /prefetch:1
        PID:1168
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A678522962240769248D9B3FCDF4ECD --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:1408
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7B7CE6269461846BB8E4B6156764D6FF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7B7CE6269461846BB8E4B6156764D6FF --renderer-client-id=5 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
        PID:2312
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6CC3471DCCA0CB6B3D3B381DB3C06D6B --mojo-platform-channel-handle=2500 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:2232
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1AE0B31712509A8FFCCB0E1DBB942B93 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3996
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      PID:1208
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/516-116-0x0000000000000000-mapping.dmp

                      • memory/908-119-0x0000000000A77000-0x0000000000A78000-memory.dmp

                      • memory/908-120-0x0000000000000000-mapping.dmp

                      • memory/908-122-0x00000000000A0000-0x00000000000A1000-memory.dmp

                      • memory/908-118-0x0000000077602000-0x0000000077603000-memory.dmp

                      • memory/1168-127-0x00000000000B0000-0x00000000000B1000-memory.dmp

                      • memory/1168-121-0x0000000077602000-0x0000000077603000-memory.dmp

                      • memory/1168-123-0x0000000000BAE000-0x0000000000BAF000-memory.dmp

                      • memory/1168-124-0x0000000000000000-mapping.dmp

                      • memory/1168-126-0x00000000000A0000-0x00000000000A1000-memory.dmp

                      • memory/1208-128-0x0000000000000000-mapping.dmp

                      • memory/1340-115-0x0000000000000000-mapping.dmp

                      • memory/1408-129-0x0000000077602000-0x0000000077603000-memory.dmp

                      • memory/1408-131-0x0000000000000000-mapping.dmp

                      • memory/1408-130-0x0000000000B5C000-0x0000000000B5D000-memory.dmp

                      • memory/2232-141-0x0000000000000000-mapping.dmp

                      • memory/2232-139-0x0000000077602000-0x0000000077603000-memory.dmp

                      • memory/2232-140-0x0000000000B08000-0x0000000000B09000-memory.dmp

                      • memory/2312-133-0x0000000077602000-0x0000000077603000-memory.dmp

                      • memory/2312-134-0x00000000008F8000-0x00000000008F9000-memory.dmp

                      • memory/2312-135-0x0000000000000000-mapping.dmp

                      • memory/3584-117-0x0000000000000000-mapping.dmp

                      • memory/3996-143-0x0000000077602000-0x0000000077603000-memory.dmp

                      • memory/3996-144-0x000000000041B000-0x000000000041C000-memory.dmp

                      • memory/3996-145-0x0000000000000000-mapping.dmp