Analysis
-
max time kernel
121s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10-11-2021 07:42
Behavioral task
behavioral1
Sample
myAlpha.pdf
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
myAlpha.pdf
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
myAlpha.pdf
-
Size
65KB
-
MD5
c730832aab50e1571e29025f3634604b
-
SHA1
88dfc294122d1ff7856b368667039522dbf117ba
-
SHA256
fb9a5a2bef0e38b06d4a69e44b3830b9e8cb9bc1e42fd3e0b28501c859043d73
-
SHA512
01ea88aef12ad535939334ef61ef2d0e2605a0bfaee503edcf8860b48c6c1d53963046ffe6afdbb0b523e08cd337765043921dc6bf60c95d4bb75dcc3d36a0d0
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2680 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe 2680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 2680 wrote to memory of 700 2680 AcroRd32.exe RdrCEF.exe PID 2680 wrote to memory of 700 2680 AcroRd32.exe RdrCEF.exe PID 2680 wrote to memory of 700 2680 AcroRd32.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 3936 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe PID 700 wrote to memory of 1580 700 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\myAlpha.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B5F13C4EFA0278127630A9B72F4C62D3 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D0359286BA8CA14175614EE6E1768580 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D0359286BA8CA14175614EE6E1768580 --renderer-client-id=2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=69241A9911E6CFE4106C77AB9C4EF9C6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=69241A9911E6CFE4106C77AB9C4EF9C6 --renderer-client-id=4 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DC1D5B98DAB1396ABFA6D20D68D8FBDC --mojo-platform-channel-handle=2464 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01187F4806B706B75F44F3EFD5DE0735 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14EB9A6BC7BEAAD1C12BF0FCF0970B05 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/700-115-0x0000000000000000-mapping.dmp
-
memory/1532-140-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/1532-142-0x0000000000000000-mapping.dmp
-
memory/1532-141-0x0000000000F5A000-0x0000000000F5B000-memory.dmpFilesize
4KB
-
memory/1580-121-0x0000000000DC2000-0x0000000000DC3000-memory.dmpFilesize
4KB
-
memory/1580-120-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/1580-122-0x0000000000000000-mapping.dmp
-
memory/1580-124-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/1580-125-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/2468-136-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/2468-138-0x0000000000000000-mapping.dmp
-
memory/2468-137-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/2840-126-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/2840-127-0x0000000000BF8000-0x0000000000BF9000-memory.dmpFilesize
4KB
-
memory/2840-128-0x0000000000000000-mapping.dmp
-
memory/3936-116-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/3936-117-0x0000000000B46000-0x0000000000B47000-memory.dmpFilesize
4KB
-
memory/3936-118-0x0000000000000000-mapping.dmp
-
memory/3936-119-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/3948-132-0x0000000077352000-0x0000000077353000-memory.dmpFilesize
4KB
-
memory/3948-134-0x0000000000000000-mapping.dmp
-
memory/3948-133-0x0000000001088000-0x0000000001089000-memory.dmpFilesize
4KB