Analysis
-
max time kernel
101s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-11-2021 03:10
Behavioral task
behavioral1
Sample
open and click xmppu9 gt.yjwhex9 hizm.j9 psgnf9 fa.um9 yqdm9 .pdf
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
open and click xmppu9 gt.yjwhex9 hizm.j9 psgnf9 fa.um9 yqdm9 .pdf
Resource
win10-en-20211014
General
-
Target
open and click xmppu9 gt.yjwhex9 hizm.j9 psgnf9 fa.um9 yqdm9 .pdf
-
Size
93KB
-
MD5
ae749af57490a25101dbaadc4a3abb96
-
SHA1
f3d164e61160c1be5ef8b2c96ee7ef6af7c1b4a0
-
SHA256
e9afd1d20aa0b6d2e7106f8ebd4e2cfc6b5703bb1e16d84025cf4177c35e83e4
-
SHA512
a9e67503d34621a6269e048990dc15fe3a22f2f40d16494277572d3235ea7bd987d229bbed7aa1324b42b0cf0a12c03af59760b7b2fe67c6605fd903986dae36
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2248 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe 2248 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 2248 wrote to memory of 4528 2248 AcroRd32.exe RdrCEF.exe PID 2248 wrote to memory of 4528 2248 AcroRd32.exe RdrCEF.exe PID 2248 wrote to memory of 4528 2248 AcroRd32.exe RdrCEF.exe PID 2248 wrote to memory of 4556 2248 AcroRd32.exe RdrCEF.exe PID 2248 wrote to memory of 4556 2248 AcroRd32.exe RdrCEF.exe PID 2248 wrote to memory of 4556 2248 AcroRd32.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 644 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe PID 4528 wrote to memory of 868 4528 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\open and click xmppu9 gt.yjwhex9 hizm.j9 psgnf9 fa.um9 yqdm9 .pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15F90FF881C56FE222C103642E24B7FE --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:644
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6F093FD57A0F42D17EAA152F386C71A3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6F093FD57A0F42D17EAA152F386C71A3 --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:13⤵PID:868
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=63FCDBF04262207CEE2EEDB0258B9925 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=63FCDBF04262207CEE2EEDB0258B9925 --renderer-client-id=4 --mojo-platform-channel-handle=2056 --allow-no-sandbox-job /prefetch:13⤵PID:852
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1016302BFE1E60FE1042BF9C59A2A283 --mojo-platform-channel-handle=2508 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2380
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B2D0CA5D09334430E09AAADADBB35D78 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2424
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=97D98D6CBBA280067DB6565F79E91422 --mojo-platform-channel-handle=2616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4692
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:4556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-121-0x0000000000D21000-0x0000000000D22000-memory.dmpFilesize
4KB
-
memory/644-120-0x00000000772B2000-0x00000000772B3000-memory.dmpFilesize
4KB
-
memory/644-122-0x0000000000000000-mapping.dmp
-
memory/644-124-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/852-130-0x00000000772B2000-0x00000000772B3000-memory.dmpFilesize
4KB
-
memory/852-132-0x0000000000000000-mapping.dmp
-
memory/852-131-0x0000000000D71000-0x0000000000D72000-memory.dmpFilesize
4KB
-
memory/868-129-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/868-125-0x0000000000A23000-0x0000000000A24000-memory.dmpFilesize
4KB
-
memory/868-128-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/868-126-0x0000000000000000-mapping.dmp
-
memory/868-123-0x00000000772B2000-0x00000000772B3000-memory.dmpFilesize
4KB
-
memory/2380-136-0x00000000772B2000-0x00000000772B3000-memory.dmpFilesize
4KB
-
memory/2380-137-0x0000000000B85000-0x0000000000B86000-memory.dmpFilesize
4KB
-
memory/2380-138-0x0000000000000000-mapping.dmp
-
memory/2424-141-0x0000000000D6E000-0x0000000000D6F000-memory.dmpFilesize
4KB
-
memory/2424-140-0x00000000772B2000-0x00000000772B3000-memory.dmpFilesize
4KB
-
memory/2424-142-0x0000000000000000-mapping.dmp
-
memory/4528-118-0x0000000000000000-mapping.dmp
-
memory/4556-119-0x0000000000000000-mapping.dmp
-
memory/4692-144-0x00000000772B2000-0x00000000772B3000-memory.dmpFilesize
4KB
-
memory/4692-145-0x0000000000EBA000-0x0000000000EBB000-memory.dmpFilesize
4KB
-
memory/4692-146-0x0000000000000000-mapping.dmp