Analysis
-
max time kernel
161s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
10-03-2022 20:36
Behavioral task
behavioral1
Sample
4c059ac22437b2a8591bffa10d67807c2d78c327d9501701aaef185a306c269d.pdf
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
4c059ac22437b2a8591bffa10d67807c2d78c327d9501701aaef185a306c269d.pdf
Resource
win10v2004-en-20220112
General
-
Target
4c059ac22437b2a8591bffa10d67807c2d78c327d9501701aaef185a306c269d.pdf
-
Size
44KB
-
MD5
02b1a9d3e05ccc1a82a1b6522fe5b104
-
SHA1
a184fd5b300e1ab6bc44cb1bdccf01248f131107
-
SHA256
4c059ac22437b2a8591bffa10d67807c2d78c327d9501701aaef185a306c269d
-
SHA512
d0dc1c3e8606ad78dfceb20de3663830e73e093bef06d5d04855341189a5d5afd0378bd65a29626ddd66bb6cf1395902b78f4fbc3576fa6d662ba62becc29a90
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
AcroRd32.exepid process 4056 AcroRd32.exe 4056 AcroRd32.exe 4056 AcroRd32.exe 4056 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4056 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4056 AcroRd32.exe 4056 AcroRd32.exe 4056 AcroRd32.exe 4056 AcroRd32.exe 4056 AcroRd32.exe 4056 AcroRd32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
AcroRd32.exedescription pid process target process PID 4056 wrote to memory of 3472 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 3472 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 3472 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2208 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2208 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2208 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2316 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2316 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2316 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2472 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2472 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 2472 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 1180 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 1180 4056 AcroRd32.exe RdrCEF.exe PID 4056 wrote to memory of 1180 4056 AcroRd32.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4c059ac22437b2a8591bffa10d67807c2d78c327d9501701aaef185a306c269d.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵