Analysis
-
max time kernel
162s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-03-2022 12:13
Behavioral task
behavioral1
Sample
97b48f4fd6ac3dd91175ca1e40fdf764add99eb2c0f0cff375874a807c4f9005.pdf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
97b48f4fd6ac3dd91175ca1e40fdf764add99eb2c0f0cff375874a807c4f9005.pdf
Resource
win10v2004-en-20220112
General
-
Target
97b48f4fd6ac3dd91175ca1e40fdf764add99eb2c0f0cff375874a807c4f9005.pdf
-
Size
298KB
-
MD5
f2d8f1770dc64f374170bfe39b46cde7
-
SHA1
e47160699535139b38c2d92de3f0276a4b234286
-
SHA256
97b48f4fd6ac3dd91175ca1e40fdf764add99eb2c0f0cff375874a807c4f9005
-
SHA512
72fcc61630aff55616ee750e69d465949645aa7b0afa176db7eccd55be23add9d77e80c0e14743f0bf1914de32bb3009d2776aa8ca69f3e8f49ad12ff430cce3
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1128 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 1128 AcroRd32.exe 1128 AcroRd32.exe 1128 AcroRd32.exe 1128 AcroRd32.exe 1128 AcroRd32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AcroRd32.exedescription pid process target process PID 1128 wrote to memory of 4032 1128 AcroRd32.exe RdrCEF.exe PID 1128 wrote to memory of 4032 1128 AcroRd32.exe RdrCEF.exe PID 1128 wrote to memory of 4032 1128 AcroRd32.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\97b48f4fd6ac3dd91175ca1e40fdf764add99eb2c0f0cff375874a807c4f9005.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵