Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
14-03-2022 18:57
Behavioral task
behavioral1
Sample
Invoice_INV58780163.pdf
Resource
win10v2004-en-20220113
Behavioral task
behavioral2
Sample
LifeShare Transplant Donor Services of Oklahoma, Inc. CM58575719.pdf
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf
Resource
win10v2004-20220310-en
Behavioral task
behavioral4
Sample
LifeShare Transplant Donor Services of Oklahoma, Inc. MSA.pdf
Resource
win10v2004-en-20220113
General
-
Target
LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf
-
Size
577KB
-
MD5
4ab83d225b09c4ba7ed395a9a0333b4c
-
SHA1
6dad4fbb5de3e54b477bd3f68317977ea7802c66
-
SHA256
1d7b5b8bfeea1d2e9e97ad5336dc1402b151afcb5d50ce3ca618de7a77d23a16
-
SHA512
35871af277930921ce76646b3efa72512866ddb31cebf12201229e51d9737921c913d2c9516538de0136bfc9cde4c45fb7eb11c605855078ea880236d8d2b6d5
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3116 648 WerFault.exe AdobeCollabSync.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AdobeCollabSync.exepid process 828 AdobeCollabSync.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AdobeCollabSync.exepid process 828 AdobeCollabSync.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe 4472 AcroRd32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exedescription pid process target process PID 4472 wrote to memory of 828 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 828 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 828 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 3320 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 3320 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 3320 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 3524 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 3524 4472 AcroRd32.exe AdobeCollabSync.exe PID 4472 wrote to memory of 3524 4472 AcroRd32.exe AdobeCollabSync.exe PID 828 wrote to memory of 1808 828 AdobeCollabSync.exe AdobeCollabSync.exe PID 828 wrote to memory of 1808 828 AdobeCollabSync.exe AdobeCollabSync.exe PID 828 wrote to memory of 1808 828 AdobeCollabSync.exe AdobeCollabSync.exe PID 3524 wrote to memory of 648 3524 AdobeCollabSync.exe AdobeCollabSync.exe PID 3524 wrote to memory of 648 3524 AdobeCollabSync.exe AdobeCollabSync.exe PID 3524 wrote to memory of 648 3524 AdobeCollabSync.exe AdobeCollabSync.exe PID 3320 wrote to memory of 768 3320 AdobeCollabSync.exe AdobeCollabSync.exe PID 3320 wrote to memory of 768 3320 AdobeCollabSync.exe AdobeCollabSync.exe PID 3320 wrote to memory of 768 3320 AdobeCollabSync.exe AdobeCollabSync.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8283⤵PID:1808
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=33203⤵PID:768
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c2⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=35243⤵PID:648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 12564⤵
- Program crash
PID:3116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 648 -ip 6481⤵PID:2456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-14.logMD5
1d9789f24d5e702c8eebc59026795fe1
SHA10db35c6e57f866a1d4ecc159fa9f7ebcc36c0f99
SHA256675a1ea51c6585ceb6c66ac851f950aa29167149b8c1d7722632a90444b7a3f9
SHA5120b03190069838cb70c9fb3987fb9990af3d509797b0a5e91c3dfffa768d0f29e92394a6d85e674bc71cd0c5714e8ed28e845e1d60d81bfb87241f2fb7b8affd6