Analysis
-
max time kernel
140s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 19:10
Behavioral task
behavioral1
Sample
nsgrizca.vi65 cjs.uiljm65 powhg65 .nqh.pdf
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
nsgrizca.vi65 cjs.uiljm65 powhg65 .nqh.pdf
Resource
win10-en-20210920
General
-
Target
nsgrizca.vi65 cjs.uiljm65 powhg65 .nqh.pdf
-
Size
196KB
-
MD5
db65a81d4e887ad0e4aa81f5d3138307
-
SHA1
942f77b9f6e9b59a820a79d686b0df9e4bebdbec
-
SHA256
02445b2e866cb68dc34f0579693521de66713ca6ef6ffe18a018b093549a4993
-
SHA512
2ce4086d24d63c2da8b325e81cd0896ea76c64276140caf404b3fde0ff4e300c8c4850524ca4bbed01c78e3539d962b0754bc846ed142d561a778e2fa81fd183
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3316 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe 3316 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3316 wrote to memory of 692 3316 AcroRd32.exe RdrCEF.exe PID 3316 wrote to memory of 692 3316 AcroRd32.exe RdrCEF.exe PID 3316 wrote to memory of 692 3316 AcroRd32.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 4368 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe PID 692 wrote to memory of 2256 692 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\nsgrizca.vi65 cjs.uiljm65 powhg65 .nqh.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BAC76729F5CF5A017F18359493BC37BF --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=38EF479B20ED88B9D0AAEEC63E0D0AB8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=38EF479B20ED88B9D0AAEEC63E0D0AB8 --renderer-client-id=2 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C5D74FAFF3099B763660ACE859860B6D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C5D74FAFF3099B763660ACE859860B6D --renderer-client-id=4 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2CA53F8A942B36E10D98F7713238636E --mojo-platform-channel-handle=2464 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E969589986FA6ACBB9F63B6C6E50E8B1 --mojo-platform-channel-handle=1676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=458D74008FA975E9BFCDC4179A7826CC --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-129-0x0000000077802000-0x0000000077803000-memory.dmpFilesize
4KB
-
memory/512-131-0x0000000000000000-mapping.dmp
-
memory/512-130-0x00000000009DC000-0x00000000009DD000-memory.dmpFilesize
4KB
-
memory/692-118-0x0000000000000000-mapping.dmp
-
memory/916-137-0x0000000000000000-mapping.dmp
-
memory/916-135-0x0000000077802000-0x0000000077803000-memory.dmpFilesize
4KB
-
memory/916-136-0x000000000096A000-0x000000000096B000-memory.dmpFilesize
4KB
-
memory/1632-139-0x0000000077802000-0x0000000077803000-memory.dmpFilesize
4KB
-
memory/1632-141-0x0000000000000000-mapping.dmp
-
memory/1632-140-0x0000000000902000-0x0000000000903000-memory.dmpFilesize
4KB
-
memory/2256-128-0x0000000001900000-0x0000000001901000-memory.dmpFilesize
4KB
-
memory/2256-125-0x0000000000000000-mapping.dmp
-
memory/2256-124-0x0000000001817000-0x0000000001818000-memory.dmpFilesize
4KB
-
memory/2256-127-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/2256-123-0x0000000077802000-0x0000000077803000-memory.dmpFilesize
4KB
-
memory/3740-143-0x0000000077802000-0x0000000077803000-memory.dmpFilesize
4KB
-
memory/3740-144-0x00000000019D4000-0x00000000019D5000-memory.dmpFilesize
4KB
-
memory/3740-145-0x0000000000000000-mapping.dmp
-
memory/4368-120-0x0000000001838000-0x0000000001839000-memory.dmpFilesize
4KB
-
memory/4368-121-0x0000000000000000-mapping.dmp
-
memory/4368-119-0x0000000077802000-0x0000000077803000-memory.dmpFilesize
4KB
-
memory/4368-122-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB