Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
25-03-2022 01:13
Behavioral task
behavioral1
Sample
55f6305e14e214412fff2eac759b00c073358a00c4d692380c3e05f3ff550e65.pdf
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
55f6305e14e214412fff2eac759b00c073358a00c4d692380c3e05f3ff550e65.pdf
Resource
win10v2004-20220310-en
General
-
Target
55f6305e14e214412fff2eac759b00c073358a00c4d692380c3e05f3ff550e65.pdf
-
Size
38KB
-
MD5
b9ecd94635b5d43977f9e3c2577725cf
-
SHA1
38089eb57cf18869edfb7ce2174b55d25618cfd7
-
SHA256
55f6305e14e214412fff2eac759b00c073358a00c4d692380c3e05f3ff550e65
-
SHA512
59b38f50675ad4b2df8aa4a1e594bd9d7bcb5e34de72f3738e61f5170797b3ce2555aeb335a8dcb395fa472d443f4b9dd6f41458ae8ef1b3a448ac5d43417cba
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
AcroRd32.exepid process 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4144 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 4144 AcroRd32.exe 3480 AdobeARM.exe 4144 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeAdobeARM.exeRdrCEF.exedescription pid process target process PID 4144 wrote to memory of 2156 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 2156 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 2156 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4780 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4780 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4780 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4260 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4260 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4260 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 2800 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 2800 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 2800 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4052 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4052 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 4052 4144 AcroRd32.exe RdrCEF.exe PID 4144 wrote to memory of 3480 4144 AcroRd32.exe AdobeARM.exe PID 4144 wrote to memory of 3480 4144 AcroRd32.exe AdobeARM.exe PID 4144 wrote to memory of 3480 4144 AcroRd32.exe AdobeARM.exe PID 3480 wrote to memory of 3376 3480 AdobeARM.exe Reader_sl.exe PID 3480 wrote to memory of 3376 3480 AdobeARM.exe Reader_sl.exe PID 3480 wrote to memory of 3376 3480 AdobeARM.exe Reader_sl.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 3956 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 2012 4052 RdrCEF.exe RdrCEF.exe PID 4052 wrote to memory of 2012 4052 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\55f6305e14e214412fff2eac759b00c073358a00c4d692380c3e05f3ff550e65.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:2156
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:4780
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:4260
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:2800
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD75A4005C38E98CFD5D64C0846EC3D8 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3956
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EFB7F8982C132D2F5C6FCE1E6F3BB429 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EFB7F8982C132D2F5C6FCE1E6F3BB429 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:13⤵PID:2012
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6CE089C8A86956A179FB19CF137D9E70 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4560
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF7D787900801F46A41ADB14A649CD90 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4224
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CE88CAF54486B1F590302C76E57B4675 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2200
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵PID:3376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-145-0x0000000000000000-mapping.dmp
-
memory/2156-134-0x0000000000000000-mapping.dmp
-
memory/2200-156-0x0000000000000000-mapping.dmp
-
memory/2800-137-0x0000000000000000-mapping.dmp
-
memory/3376-140-0x0000000000000000-mapping.dmp
-
memory/3480-139-0x0000000000000000-mapping.dmp
-
memory/3956-142-0x0000000000000000-mapping.dmp
-
memory/4052-138-0x0000000000000000-mapping.dmp
-
memory/4224-153-0x0000000000000000-mapping.dmp
-
memory/4260-136-0x0000000000000000-mapping.dmp
-
memory/4560-150-0x0000000000000000-mapping.dmp
-
memory/4780-135-0x0000000000000000-mapping.dmp