74f8cf17b3cc70112c349d3d7da6f4861949b6c49590058c1748cf636efe91c4

General

Target

LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf
Size

577KB
MD5

4ab83d225b09c4ba7ed395a9a0333b4c
SHA1

6dad4fbb5de3e54b477bd3f68317977ea7802c66
SHA256

1d7b5b8bfeea1d2e9e97ad5336dc1402b151afcb5d50ce3ca618de7a77d23a16
SHA512

35871af277930921ce76646b3efa72512866ddb31cebf12201229e51d9737921c913d2c9516538de0136bfc9cde4c45fb7eb11c605855078ea880236d8d2b6d5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3116 648 WerFault.exe AdobeCollabSync.exe

pid	pid_target	process	target process
3116	648	WerFault.exe	AdobeCollabSync.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AdobeCollabSync.exe

pid process

828 AdobeCollabSync.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AdobeCollabSync.exe

pid process

828 AdobeCollabSync.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4472 AcroRd32.exe
4472 AcroRd32.exe
4472 AcroRd32.exe
4472 AcroRd32.exe
4472 AcroRd32.exe
4472 AcroRd32.exe

pid	process
828	AdobeCollabSync.exe

pid	process
828	AdobeCollabSync.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exe

description	pid	process	target process
PID 4472 wrote to memory of 828	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 828	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 828	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 3320	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 3320	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 3320	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 3524	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 3524	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 4472 wrote to memory of 3524	4472	AcroRd32.exe	AdobeCollabSync.exe
PID 828 wrote to memory of 1808	828	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 828 wrote to memory of 1808	828	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 828 wrote to memory of 1808	828	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3524 wrote to memory of 648	3524	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3524 wrote to memory of 648	3524	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3524 wrote to memory of 648	3524	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3320 wrote to memory of 768	3320	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3320 wrote to memory of 768	3320	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3320 wrote to memory of 768	3320	AdobeCollabSync.exe	AdobeCollabSync.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=828
3⤵
PID:1808

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=3320
3⤵
PID:768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=3524
3⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1256
4⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 648 -ip 648
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-14.log
MD5
1d9789f24d5e702c8eebc59026795fe1

SHA1
0db35c6e57f866a1d4ecc159fa9f7ebcc36c0f99

SHA256
675a1ea51c6585ceb6c66ac851f950aa29167149b8c1d7722632a90444b7a3f9

SHA512
0b03190069838cb70c9fb3987fb9990af3d509797b0a5e91c3dfffa768d0f29e92394a6d85e674bc71cd0c5714e8ed28e845e1d60d81bfb87241f2fb7b8affd6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads