671fbc5a6ffd574dbcb338dc9c784d845a3abb9cfe4a0376ea4fcb3f2e9d1e08

General

Target

671fbc5a6ffd574dbcb338dc9c784d845a3abb9cfe4a0376ea4fcb3f2e9d1e08.pdf
Size

48KB
MD5

51f4bd2f335fd6ed8e6347ad6133c5ce
SHA1

a22d9e20ed8d06478f01d866516aa9e278e5cd29
SHA256

671fbc5a6ffd574dbcb338dc9c784d845a3abb9cfe4a0376ea4fcb3f2e9d1e08
SHA512

ca97cead21a729b8e982590f23f36bad0a0082b220c125a2f26e428e91c02b5e8d8784d30e216108b37b1349da190c127780bb149b5fc45f678968bd51e7bc2e

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006B9BC959A = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000036a00614a873825b99f2c2b639e7386653b5cac8beb0bdecf05a92357f5c7d68000000000e800000000200002000000078a1d8da29f33a3f2761a5ba93e095c171a7f8174d6bb3c921da5a2752567a49800000002a59a442d118e79d754338b04afb0fdaf09984f72cc84e37cd41747dd06f4200ffe14a0f4c3d07ceec36bacc39afc3b4153dc377a235ae950f3fe292677aece0b1892b0f96a2a2b82110d241c36bee2f74b88c72edd5b26b2fc5e666a7503ce9dc9fbd3f3db643e13afdd7bfaed1ff5b24a50031cbb6ef86de11d5d66d5f9e38400000001f5e6cc78ce3aacda875cdd4ae0671cab46c96b459e17b1494124169c9e10298c62e7d39a5a39cb59b1a8d6c69ea15cc803b1de6fa7503ca418429f2e3eca93f	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000841367b061b1dd2ef2f2485e4e3cfe32a674248a4785b9f32dddb24bd8fee3ab000000000e8000000002000020000000b7b498a1de01157c53f0e9cfd9cc09a807df8676ae371733ff928f5a3c07a5ba100d0000bce23b9df8c4e37bf853f7581b410e75f9fd445039d32fb00c8189e823485f6d791203f28570f2315712b3030fa5f488170dac7343a13f2813ec06383dd41a152e44c33b75df7ac2dbe1eca3212e3de690f246b2eafc5067fa915a7430d31c6938681be92fba7df672b167da0afb00e1a5406c6c7919899bd13e98f65a932f5f4220bfa8f5c68c6b66f2bd08c361e01130a85dd9a51ecca1fe396cd47e97b779cbe4ceef3fc7e6fe9bdec7cd62ef7fd5df8ad633c309b8cbb49343f4fde6892df102369b933bdc9e4e7b88e19ef30d7dfe941322d051c08b63239cda6daaae922231ea772975109d4ada1fd2c633568b6769148de57b29d4e1e808258c0a79a6c0b25b6024dfcea72ed6667133b2ec783f4a96acf1d61126a682eefb78ed67c9d2fd5eb3d7a153c1ab29e5a3f1f70a8c5e1dd75833e1b619319202353dc9b2ea5e883a65449cbd26095f23eae443451b558bf428f7a2ccbd3c1f7a69510917d270ce5a4cfbfd62f8822f299f642eaa25a4d409accdb92b385d07934bfab07db896bfd569fe54c8b89ab1f7cec9f5b283a2f0f1676c9810e795dfb1dbb515d0a3b7a4d326e5f8e0baa60162bd1e9b4b769974044937fff38061337b6bd9cc748c64f478085a5a6514be30a34ffd7d43321a888534a595dc852925372c6762a8e810d3b67dad3ded899e045fb4c337ceb14ff4443eddea574e2ff8b52cb6c29f848b6d8c1bb39544417496d21f15d3f91a7923607aac1169dbfe7501e41984fe9b29d781d8e247ef3ba6f5f491d71104cfa5f7fdae177a00aa5606336548264b6b4a72d78a85b28b2ef8060cd02ec14eebbefbdc38da182e038136d915b9a7919d3c3537b3c109e174413abf199820700100573e8a4f61f5d99e25bfde2cbf7945cbf651c4959643dd1740a6c75b465c418c3c6ee0f707e19c8affa97fd167b2a7783e89ab2f42f806112dea7eb60e330589baaaec230d92444f1c2e5f6a72937bbecfeeaaa210be172b3030413ecd6afe55f933177e23395c55bba800fe505d8e7161fac5c1be88e13cfc9932607e7f41ee2e16fc9ab402378ea35273a9086fb15fad58193c4e28460d5a4a84b363fa873e50c35f9cc1781f23ec624cfcf51d73e4068f022611653fa89db182823aa53336c9cc0007e09a5c1dbf2e27d51a7ca3b8c25d3ee5d7dfd215155dfd045b67a8e4bdf5bd4c9718b9979ae3d9540001cb1c27af5aae8e1556dc8a62d2641cd5c57d55a6ecd34085382ff0dd60374d58092b310f437a2fdf564a9ad95c848326cd8b45c4e7e554ae89a47db04e8c4ae4131dbdefdabf813975ce891af4a851bcc7380f57ae41906696373420ba0f849ab89187df1a3bdf15ecaa58fb4415eaa5a7a4dcc92068b456f5909e5b5ed2c64e0bdc3c6adc7bcc360cb751e4d41afe9308fc34e692ea8487c6c802746bbae3ba474c1d029d49ea03cda50ad1efb7da342748634af0863b8717000f59fb1dafcd8b4103de4e01013b6fc9add222824a7a995effa2c69850c570d95c1d4dfb964b99c93940e0b0672d3e065f13628f7f341e744f948243d214f78b24452ce251bf4e06900161012d0546227285fc5e92f3054ce17694d981c25d6fb58d8ae7d729f4ad7d4ca090abc71780bd6bdd1b27b62e5e07c68e925602f5ba0bf4024ffcf2b6930f404d5da10ebbe27b80a4932c31368a29c6ddea8fe6353980342e26d9efb013d8fec7956ab1a321ef612a8ebe0f06edb3a43fbf950465109b664d850d874ddb903dfdeb6a6daf34f2aac159360574794e95bf156f82728aface0ec7a8812d2c9c35eba6d9974e4c2cbcaba1b7f24bedf695f39088aabd9e6831a5abfa6c5644f83308b583be6312ab1568bc50967ea45857de20b890dce3dbc1c40da5293a488b20e69f77f69f8dd20b8dbaf064952e39f3ef1d1e91b138959d156907a253b6f680725f0ac77aad845a89aaf686e8623ec3909a0ddb872d58c7502f7342347d23321022f498e885f06f2dc45026f0ef1412985405d5a7407197c250734b0e0fe851270cda6d7bb926ded55addf96c67709d320228d82fff239c2bc85245b23b2eea89a439cc7315df25c089854aa45f0e12cd44f90cac7cad18ecc1cb45e3afcf4b1df96baeee59702c1dd678a4521e6a15ab7378eda5b1a3bc2094fd6af10dc68fdfe472b463571ad901f37ed24494450279ac334baca5df3bc7e606a45ce10e3e29e4a84f3377fad33ccd074d42af7aee05c909e72df38b203c901c91988cf6f523b7f35dea4d428e93982e2511ee9302b899e0778b63ecf6f80f8ed7d2409c4c6abfe477f9f63b6ae2b45f6be3a9281ee3c1df078744d484c7e85546ce53a01c809f1b8c808e6a6bf40aa4e48b4334390d797b28d272d486be650a498c59b540150b7e62964249daab66a24de294bff1d7a28252155e5f96cbb018971d7487b74e901c744b486d236fd828fc0d4dd7413a09ef7b5c5989a1af0db70430bd82740425f2e670412a3bf98a1bb736854ae8bd15230269101a153e143b4ad5f190f31291e5691761610889757fcc21ffd9e7a5522a86cc3fbdf0cf0855d7df20e535c969769a2b940dd95beec93f4ef8ce293dac37654ad25749ab4b91ab58239d6bc486a37dc3981a1b4d131c60e8994f4cc2ee297a5abe31f9e1b9c58976a924c9e087beebb498e5db9af13cebaaa6142ac062a255d7ce23d35aadbec0156095ab0bd3e443e444ce868ec90f660d6351743548c183a9fa3eae8c2f5474f976923dbf23e8574851a33b0be0a28880cbfee842364f5bc51dc3693706f76d8cbefcd7d6b2764691f1436b59fcf5af8b4863907adaf25d829d626763535c04992deaee50a8fca26cbac16bcc26274fe4b0a45ca35cfe3c65731e48ade4fdd0881a63e4b76a9cea293d82d3fa9c226ee974508c742c763159eb54b687a6b5e5e1579ba244f62de1d2f24c3d8a7a15302312822e91eac53713a94ccd9f3ac89e5f9405b358bc8c498bca5930c208ba182ee1612644d01468f57c3a056138432cfa1c08aa6d1cd1ea296de7955a1df21404101c60431301c9acd53267cc4341b430cdfb8b93a6406491b0f66f32ca31c1a073738f8f4f7b90c9370e6f8bffdffc0f1f6efcae13e5630f0fb1b43575069b004e9782e9502c68f4baf84927f0f8e51b070446dfe08c458448cc70dd9699d6615237d783452718752574ffa9a29469eb1640ae1b2d0e58c66f8a4b980c3320069f5eae1403075c8cd9456ed2d9c50a445b4db99f8f5759b806cc5c43edc89dca2280d1b287c54a8dbe098d0e84f5f613400b4a3fba407e1cf98020450801598c2a0182691317092a5eda22ab8480f94806c36655df12a4225ee28e868b796bb7d6b372c07f8aa1f4926c048b14b7047b7cd1b2d5af7faba1fd216ba2ecd60dd1a32d56735e8a6d3e1d23794d9e1fa35a811e0845c83f6c27c55a22558b65c7105ad7be031927ba66b1544e656117c8ba2447374e85371e9175e027f2b2838cda65257d73359630bce403eb48539b3d2981bcf0554525d3c29658a8c6c61f31be431a6f328bd6973f9171c14de035380eec66b00b4a2d3031f4a086192ff3a4da5e1d8328760d335501740ebe0c6412e952b3211ed256ea39e05d907cc050589c6fa2a7967703d770e4b35443ce48d29c2a4fd43f91c9d3678b8410dd5514f94756af6fd966111ddd5293c7be09c21a2ce475e4a12d5adeb3b0d18bb1710ee0afc67c2376457c300a858a4682429fcddcffee26c6b58c5052f44a284f6e0e33b1ba3eacc78147220ea53d5e13f6795ae8687bad8567bb958319487afb861d2bfd9b0653941efa029832e38a8220b6fa7723ab0de36347872ea2c201663823b11dcc0c5be6c8775be45a5b150aa88b5782bd597922e56369e0315f04c389bfeab4d0f0d9c41da00eef92b9bd510332f22ba2f6ea62c35acbef6ba6c01e7524e4b2d2cf2c103e6e16a3326e8ab3cc87d8c335bcbceb09a1b8c851f1d5e48ac7fcaf54d9a98af4296356c549e9d4f8d278fe91067eb8054fd2b5c5f0ac5b477a4c8361d6ced0e3f5c78c04ee63ea206a473866fbc9e3d3c766955f3164c08b16a2d4af62874f81b9d4131026bcba2ff1968518e3a39dc107ec2e25e6d4ee96f2fad92f08ba37e79f3f330a7d4b82e750aafb39a998f743fcf94f536af135ce796f4473c3874f95e090a7fda03a264d20a600e18a6891f2d76147f28a6331eceb205bd006f003a2bc8f2c3988cb2c3d549df0fe90657d9a3bbc8f785c217c551be23f18177de2e2bdab3572bff1df56c0ffa33735e6db7606e8681efa28197d0606bc76ed70f32d4ff0c02d2dc1f0475443597f9b18b70acdcb450d6b9189cdd1b6653df6e20246298fcfe3c4dd9692cedde723faaa66949b9b033133cf751ae52b19f9ff56b32ebe85ceedabe74e1f6bc5efb16634e624cb4ffe3aca53cfb48dd886ba67619621c9b0670f117e2cfcc77e720475fce5cf2eefc7fb3c27707d89a872a8ff78e1fec4426295bd5e9d9bcc954df41f8871f4c33b61031f3f91b112b1d09cb8d354fa9692475c09b2b0517f66dfa2061875638150401e948652da2c499b3de2484d0af085222b5d09aad9c0824f09703913911db62ab268014d7c94f2cdf562ca09790d9daa03e0b8235af4e1e19a0b7e103a39ca30de3079cbc6bba61c82e78b34f8ffd4517f6383ae4ebd7a30ecf6122eefd6af5670d4a5a9d5a1405d400000005d3c3706e40867d82cbecf20102b116bf991897ed976f9075c5f52d59656f1b3d697567c51e3e91f6df1df109b02fe4f6fa5286c84610639bd8af031d8fc958b	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006B9BC959A"	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4376 AcroRd32.exe
4376 AcroRd32.exe
4376 AcroRd32.exe
4376 AcroRd32.exe

pid	process
4376	AcroRd32.exe
4376	AcroRd32.exe
4376	AcroRd32.exe
4376	AcroRd32.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\671fbc5a6ffd574dbcb338dc9c784d845a3abb9cfe4a0376ea4fcb3f2e9d1e08.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads