9d70b56e9fdb6bc09ed61c55cc58f29730d3ab6545822f7c452ce973a95b959c

General

Target

INVITATION_2021105911.pdf
Size

268KB
MD5

79935cfcd2953e43de3f68c2a57d2d7c
SHA1

93694340e29f27bd76a752a1c630a6ce36d9a077
SHA256

9d70b56e9fdb6bc09ed61c55cc58f29730d3ab6545822f7c452ce973a95b959c
SHA512

eb6465c07f1217e5feded59410d9a422a5a2b8607a073997f9efff7c0fb15576ad68a62a20e55c63422f3cbbb9a6e5a49d1d6fab7b8b5c61bb4523b6ad1af2bc

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe
2372	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2372 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2372 AcroRd32.exe
2372 AcroRd32.exe
2372 AcroRd32.exe
2372 AcroRd32.exe
2372 AcroRd32.exe
2372 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2372 wrote to memory of 656	2372	AcroRd32.exe	RdrCEF.exe
PID 2372 wrote to memory of 656	2372	AcroRd32.exe	RdrCEF.exe
PID 2372 wrote to memory of 656	2372	AcroRd32.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 3796	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe
PID 656 wrote to memory of 832	656	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\INVITATION_2021105911.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E754080E8AF412E9F34011EE3349B850 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=55CAFF5F20DF05FAE286065A6D1E19F3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=55CAFF5F20DF05FAE286065A6D1E19F3 --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
3⤵
PID:832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81DCA1B5C5C53F9834B25DCB14C07846 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81DCA1B5C5C53F9834B25DCB14C07846 --renderer-client-id=4 --mojo-platform-channel-handle=2216 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36C6EE424132A88D8156F34FE56B5240 --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A1B0E121FA62525FA52F3E44C40082F7 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BA72FC6DDD76604D348F10EC67288981 --mojo-platform-channel-handle=2712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-132-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/424-134-0x0000000000000000-mapping.dmp

Download
memory/424-133-0x00000000012DB000-0x00000000012DC000-memory.dmp

Filesize
4KB

Download
memory/656-115-0x0000000000000000-mapping.dmp

Download
memory/832-120-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/832-121-0x0000000001396000-0x0000000001397000-memory.dmp

Filesize
4KB

Download
memory/832-122-0x0000000000000000-mapping.dmp

Download
memory/832-125-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/832-124-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/960-137-0x0000000001399000-0x000000000139A000-memory.dmp

Filesize
4KB

Download
memory/960-138-0x0000000000000000-mapping.dmp

Download
memory/960-136-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/1080-126-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/1080-128-0x0000000000000000-mapping.dmp

Download
memory/1080-127-0x00000000007BF000-0x00000000007C0000-memory.dmp

Filesize
4KB

Download
memory/2416-140-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/2416-141-0x00000000012E8000-0x00000000012E9000-memory.dmp

Filesize
4KB

Download
memory/2416-142-0x0000000000000000-mapping.dmp

Download
memory/3796-116-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/3796-117-0x000000000139E000-0x000000000139F000-memory.dmp

Filesize
4KB

Download
memory/3796-118-0x0000000000000000-mapping.dmp

Download
memory/3796-119-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads