Analysis
-
max time kernel
158s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
28-02-2022 03:16
Behavioral task
behavioral1
Sample
Alibaba.com order# 03284983240830433498422239328759576898-390325025958245048474-7494045958540499.pdf.dll
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
Alibaba.com order# 03284983240830433498422239328759576898-390325025958245048474-7494045958540499.pdf.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
dhl_express_packing_guide_en.pdf
Resource
win7-20220223-en
Behavioral task
behavioral4
Sample
dhl_express_packing_guide_en.pdf
Resource
win10v2004-en-20220112
General
-
Target
dhl_express_packing_guide_en.pdf
-
Size
2.2MB
-
MD5
f2557e00dddee92128a3e7a1a77927b8
-
SHA1
ad8d07d18b03ef4656f4e68171bb5b92395603c8
-
SHA256
9b5f9aef033bcf219c59fa2e097c649a7813f0fc4505f1ed268fe3895ed95d8a
-
SHA512
c825926747b1d7dd27970768c50fe49ccc870886af4f5829d806ff846a3ade1963c7676c23dc04e4ea38238d5dcfd886bca5c7ca83031e9f08a96f29bdc2ffc4
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
AcroRd32.exepid process 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3644 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 3644 AcroRd32.exe 212 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeAdobeARM.exeRdrCEF.exedescription pid process target process PID 3644 wrote to memory of 964 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 964 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 964 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 324 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 324 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 324 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3732 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3732 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3732 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3220 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3220 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3220 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3068 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3068 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3068 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3672 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3672 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 3672 3644 AcroRd32.exe RdrCEF.exe PID 3644 wrote to memory of 212 3644 AcroRd32.exe AdobeARM.exe PID 3644 wrote to memory of 212 3644 AcroRd32.exe AdobeARM.exe PID 3644 wrote to memory of 212 3644 AcroRd32.exe AdobeARM.exe PID 212 wrote to memory of 1484 212 AdobeARM.exe Reader_sl.exe PID 212 wrote to memory of 1484 212 AdobeARM.exe Reader_sl.exe PID 212 wrote to memory of 1484 212 AdobeARM.exe Reader_sl.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe PID 3068 wrote to memory of 2512 3068 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dhl_express_packing_guide_en.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F9C5ED4015F2D8417D2972A5AE98DC0B --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0DBFEEAFC36FB2FAE06974CA79703318 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0DBFEEAFC36FB2FAE06974CA79703318 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵