Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 21:16
Behavioral task
behavioral1
Sample
NEW_TABLEWARE_(AND-LIVING_COMPANY)_2021104259.pdf
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
NEW_TABLEWARE_(AND-LIVING_COMPANY)_2021104259.pdf
Resource
win10-en-20210920
General
-
Target
NEW_TABLEWARE_(AND-LIVING_COMPANY)_2021104259.pdf
-
Size
268KB
-
MD5
b14cfa8e53987767930c0424fa607c33
-
SHA1
b169a859aa07e20b3093fd1d8fc0c252bf1d7467
-
SHA256
a0f60f4d44131b07bc089c14425ff8adca677223cafb5d8f7502bfc1432363da
-
SHA512
dc1d6d3d8b8f2015c7953266fa4888ec48571931c328306f5b53f76b499f1e7202d2fd15bd2e1ba5334d5d345c7245cd211371cf2297af07e07d3a492e8ae9a4
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
AcroRd32.exepid process 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2352 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe 2352 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 2352 wrote to memory of 3896 2352 AcroRd32.exe RdrCEF.exe PID 2352 wrote to memory of 3896 2352 AcroRd32.exe RdrCEF.exe PID 2352 wrote to memory of 3896 2352 AcroRd32.exe RdrCEF.exe PID 2352 wrote to memory of 1872 2352 AcroRd32.exe RdrCEF.exe PID 2352 wrote to memory of 1872 2352 AcroRd32.exe RdrCEF.exe PID 2352 wrote to memory of 1872 2352 AcroRd32.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 2528 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe PID 3896 wrote to memory of 480 3896 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NEW_TABLEWARE_(AND-LIVING_COMPANY)_2021104259.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F6E757F7A97F6E5DEBCF796AB230832 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=922ABA9250C4142BDD3E0C9280718E0A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=922ABA9250C4142BDD3E0C9280718E0A --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ABCE9665A5474EBB4D604941896B680F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ABCE9665A5474EBB4D604941896B680F --renderer-client-id=4 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A68BC46FB8BD70A1F947CD53D2A836B3 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A123E3FB397C319F8C8D9A4E5DFB0FEE --mojo-platform-channel-handle=1620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84B2C1747387100DC13462C47D26B617 --mojo-platform-channel-handle=2600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/480-123-0x0000000000000000-mapping.dmp
-
memory/480-126-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/480-125-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/480-121-0x0000000077DB2000-0x0000000077DB3000-memory.dmpFilesize
4KB
-
memory/480-122-0x0000000000E18000-0x0000000000E19000-memory.dmpFilesize
4KB
-
memory/600-128-0x0000000000383000-0x0000000000384000-memory.dmpFilesize
4KB
-
memory/600-129-0x0000000000000000-mapping.dmp
-
memory/600-127-0x0000000077DB2000-0x0000000077DB3000-memory.dmpFilesize
4KB
-
memory/1088-134-0x00000000005B5000-0x00000000005B6000-memory.dmpFilesize
4KB
-
memory/1088-133-0x0000000077DB2000-0x0000000077DB3000-memory.dmpFilesize
4KB
-
memory/1088-135-0x0000000000000000-mapping.dmp
-
memory/1872-116-0x0000000000000000-mapping.dmp
-
memory/2528-119-0x0000000000000000-mapping.dmp
-
memory/2528-117-0x0000000077DB2000-0x0000000077DB3000-memory.dmpFilesize
4KB
-
memory/2528-118-0x0000000000D88000-0x0000000000D89000-memory.dmpFilesize
4KB
-
memory/2528-120-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/3724-141-0x0000000077DB2000-0x0000000077DB3000-memory.dmpFilesize
4KB
-
memory/3724-143-0x0000000000000000-mapping.dmp
-
memory/3724-142-0x00000000017B3000-0x00000000017B4000-memory.dmpFilesize
4KB
-
memory/3896-115-0x0000000000000000-mapping.dmp
-
memory/4036-139-0x0000000000000000-mapping.dmp
-
memory/4036-138-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/4036-137-0x0000000077DB2000-0x0000000077DB3000-memory.dmpFilesize
4KB