79b9782a1714f306f9e0e7ff83dfec2e2babc52613b815f04133859780d17f8b

General

Target

79b9782a1714f306f9e0e7ff83dfec2e2babc52613b815f04133859780d17f8b.pdf
Size

44KB
MD5

1431b16a0ca67fe0a84c0ad150a35a6e
SHA1

7a9c65564cfd6d63a30aaf5483bcd6565c5e2b5b
SHA256

79b9782a1714f306f9e0e7ff83dfec2e2babc52613b815f04133859780d17f8b
SHA512

18a2226ed2978d87dbf84de970ba1b65dee206b7643d8ba3c5e7120ee0acd27b59a003640222184ef5d98de5cf079d0d55ffc66fab4f44280e5e7a3b707e8406

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000eb6d151a7f0ae2cebb98b82cd87467e84ec69d9e80e3df174760b2621d1d1ac6000000000e800000000200002000000055bedb842f5bc21be3a27eb814d84ff0ff616028eab4fd3e6ae78b273a45c373100d000029b586d8449e5ecc79099c6cbd2c9566188de425e3f786f9272636a52dfb1c2f480b1098fc4728785661b52b24471b98c315f1442fefa0623a49c4403cf1bb0f2df346d17aa26a5561ef7349e42e6be6b37ceb93df98577ff47d1df99e0aa3251cf94904e53aed7f35532217014f56cfba4c78cab3163f0e9ca2badbc1d420cdd1f7f57b730413472e7aaafc2c352c65c96eb841f72e511f7037783951f6b0597f4f497da9317b72cf0bb38519be3300f061a8cb9c09da307e6d2452eeade2f1d9484e0f4e8a76781a8ad9cedba1219005f2974d1689da6d636ba1aff21b8e182fb4f89d3696224a5167cd932b51b77152300542a7aa9b0774c38507219eef6ee8c7c91dac2575584e537df96d09d16c1608ad8733fdf76307d14945107471d1d9f7a96dd2683fd6bef62a8ed36995991e8af115c2182e0493f8f6d211b12b901a362c709a6f74b900ad2bf8f58d451f190c2da10bbe18bcd517fd294af3ec829f754042236a74e2afdde9edc20108df1b9b0991c8983179eeb1e3f37c745541cb90f8302d027d94a55a39d8d485700798aa1ccd3d663b53dfc0215d00fc1933b4411f9b1ad4dbe44a8abaedbc9296207ce3f68382ce298b563e5f565f5e44af8458c86acc075528210f86d1100dec8f7a10559b546037340a5de954ea3ef9558f60b6d19c117e2c19cb9900a3a7950c1053d25e718e209473d5ec080a88ee3492d05892166bedba9be2d98ea2710c4a8b9503b73df6d67d48f9e496a10b9e5e765264a11d16e2d86ffa5157580710a412d64d47c98ba6ab4c901200eb7dd7900694152b83a5df4bb7764b786d6f041ac8bbe3d5e18af282c8819e2c6f7b19c387adede2cea401972320b8922adff95947eb16d0c0fdcfd7c8de92262ca0bb5aebbf9f0bd8c605ac3298cbfb1408af4142bd7a65431c7442168549929f8d739842c49f6120600e4c9e87f5ac77e8a9ae52cd6beb98e2213cc1bf7b1d4ceeb5b945a69a3d98d3bb136377a50a9d548f960d8084227b12c8b596d2c0d3f3fbfc78a94ffb2ef84a429d617a6d1fc237333b6ed5aded30cc7e4edd0b2430e782fc837ce944b437e451f511b68f8f8782750b5edd5f0c84e0f5cd226588c6bffb547742f00917faf2760c4fa966e4768d779bbeb9675b650bd63f05d6716af89576863f701b5e041ca780b1951c983a73d51a1d46dc0c0061c1a1aea58a4725e3e16b7bdc38120fc79a0a5a59fa9ac7fa2f41a54725912caafdb47241d735a5367a844e0061dc9b517e6c0f35adf62fd1f92369af1a85a73d39f528fc3e7d4c48ff3477b3719f3a053146de29dd80b908979dc0ed802fe9cff13a96c2cc9cd86cf79475d0b0faa77470c485601b915c4f006928212d3ab7d9327a2cf59315c5e2e13d5acbdea1f4a212373edd5b9eb98adff798cc1f3e7be552a7543a3be297bae3d081fbdabfb0635181afc43003d8469bcf3af7b1bb43298eb2f6949dd37ce4875fec52e887e62c683adb3586f8c171b41b097b97f1e0e8fa3fa8622f2b5c764e55862380e4364d51bdeeba0812c1e98bcaf2cee251602caebb949dd995edae642ae749c7e544beea0bae4dc13eb63268c20c90ee980805656e5fb5d551f43745658ccd4bf07544593ac18ff321d4e43f1938480f1f5b0cf001ea48b8c59ba3bee803a5f4bd4e1dd023ce3609403de49a10582eb05b20f8e203eecfd9ff56c1736a2215637585981bab9bd97dd3a2277ba70855d3dc42cf0093cd656389ab66e3e945953e3ae962eab4c2554182605453fa3c2f3b83a08c66733b4b61f4ebe5adc3d2c915881db7075ac5cbc27bf8560c3f72d1264d0b7daa54903abd0f1f5fc6f5e72dee4e0be8c08cc06d75ff0dc17cc7b338f8a99f0315c41f7730dadc935e3aed64ed0e71924df30427ae847bac45b0cf3c1f319c7519e312df7a5aba74499abd11ae393479378f9ef343fad158a23390d6feffff7650815e698069696a8bf5d04eda4bd9b30f950a2fac02e2770168168deb07fb8bfc2368a92cf8fb71fa956944eaf8b1f1706aac92710a909b40040a04f360da573f8117e77a07902ab0c5a15734bf2a991cd332da12ee2d8b1ae81a6ce264b3213928cfcf1a45296eb8295d917c38a71c1c34c2669e85029a5806983baad2d93569c6b4a664f7ede4c9895bffa422127946383354767627aaff2eaff172f727e9b09328cbeab404aafb2512cf81040f26639e841c4baa7b5d0dabb6ede5196866d95a29d4f43dd426c20ac3af5d38d885ab50be4ed03ffdfbd974a5c7b2f64f3ce9a1ab7b266edd0499e6ca2c7fa30cfba5cf647223158111282acc22a48d95bcf7bb4124aeadc5716da2086491346877c981c8f14385a08eb4166d7d0a0cef7b4b5f40797053b06ff3c929d089e0d3e49a499b74b4e58a2ff3d13f43b65db30832802424801614ecf150b0463d9a1559def0f6d93e8ded12168d779546dbddafd5de27c5941b4a620d5170a3387d5951a85712ece451ba3284f2aaa2fa971d80b1a1be0f3d084b35a02b5fdd500c3a3b1ec93f732d9092b82a226c7a731cac884a2ab6487fda1779d2f3ae305cab5d4aeaa3372f3d72b66a470aeecb55acf26a897add34b79a4bd635b5dca7b9ee0d76a5c00cfc0032c6e415601d1c51d2e4e3a7e7aeec3456704de35a573b092b3a9064a558960b6a34fa6e53017d90956c9a16a79b990958d24fc3891f053424920a5648d3b656162084833b58393d41eb6028e812c9f5153dd9bdec2f8e8b282898ecdff4873d3b3a60932fd3b5af38b7faaa9c0a91952543fcf10358bbf38cc91c2a6c9de7dfc6cd6c9f0f9ec2580f141f32e2dabda7acbc62a0c07fcb4218e69ffb26ab4aa47fee0a48018c856158ea5ae75e4f2e6dcfdfd38a1ec9b96851131d9aba427289eb552530b8fc298ed68a78756bf4bec283b772186cce955a72e3b67470e37635064fea53a0a105c0f526cc813e58649470597ed385f39c7ce7a705230b15ca0915644fb3d8133abc76caf174d0c547076993c5b1332894f8041f1f719089a5dc8cddc7c310502f56277145b60d24081ccd1cca640a7a1ca64b16bec3308887bd60993c51f5803f4787abd99d8afd099f2dcfd5de1ce1d365786e5c9c1a64b499dd29132f6121439974e6f302e2d9ade8688139cca3cb5dc21f1aba7079982248466018681eeb2bb678ea374231f313efc18f6b13e7a5f6e39e341927223635f5514fbbe507e07359373533d15370607744a7838444097d25ab3724df87c2ac8ca352c85934f282278e9029e7bacf2174303e40f87d283dfed30112f443151855ad890d145167f4f990d97ce5411eeda41d68d170e64cd70a2b93722a80c91a8e30a60fa4453252f9dcd6fb28eff3f8eac97c4bf6e64b4133fd593a6b8d2c686d0cd2161ec8870fb937e4e3f066ae3b043bbd2fea2e34af749062cb7c18a70009e0e9eefac77c9fb79b8e2488ab8a302cadbe9528ffe3b9aafb7527b303b15b0220c13c87c7b0830ba10d0c33f67d9018d6a5ef79815448b2dd18f75f2e3ebe6804c975c1fdc7f792e6f58032d81689b162647675c032cd617a836ca9d4128c65bb6b8c7ece074ef548bbeb98b968bb366f97e6e899805dc12c5866286cdf3d87aee90bb634c97ffd6cb05bdfece1da5339e90751ff6158d5805b1ed7540d9228dd5c21519c6e90f3accc3f1232e7773f1c2f2eebb08954e4630db65b8f5fd98605f005f91603e9d46f3a46569394c36517e90dd694be6e3150131a8ca493940ccbfdd1d54efba0b2649ae39c0a03ffcdbac232a81deb41762f5f35a56cb1307f9c18f601c9ca123222232270b239ddc6d19cba0c01d1c255c33e16097fccd38943394f66f690d28950783e15785206a4cd48164c5c9f1905044d72d712647f55acd833a1cbcba4783337b5ba871a544af44f40654ae0ab0882a7351170952e1a379c38ba89a8b5b2951ef08e2106dbb518a8d948fcbba41f6777e29f47d12d83a84b0ebb2458d8a5d049c852ac215818c56cc061b69caf800a02f07b2859e1798b188b22a9812191acbf6d4c788d1b7dec5bcd441a6d33d140f76c113531fba3d672ea0260578ea8f452d8a41126cdb351cb5e90366a2eaff8811f4f8aec691fe944cdb697572718490b0b089c3e8b0e2f0451a80c1e98485b8510484ddcd376c4e04ed4e26a168b9a69c3b99e68a421551c9a9af8a5ea29fd919598e14bfdd147dd5f2e1553f3a33b42506c76ee786aa52dee24095ff1263b266419d80c596a9b49c4b153ff365edee45d14ac315607c494ae6b6a4dd3acbcff292196e411a662ca17b1b2d7f77b98da97291ddff8d5b535c55208b484c5e0465e85ad97c5b4f0c87b75ab89dcc5b2025c30b050faddc271ada3986946b088fc3a5e8da87f4074fab8026d18ed68464eb7fa245c40e47cb4e0ffeba97c42d4e7d0c97464a46a2b979d512c2be03ca82712600c4c1f3a88b97986839686f3e7be1cdfc0b9af50bf7a0e38e43f82472420a28af96838173629d85d69a9adee889859902bd88d6af3e7f17943174475a2c1657ea57221a736cab211887dc8bfb5acd7661d3f860791492cfd70f908b86fa3e7b2b50487ba2c1d8fb3c3ba64eba338ba9fa0ae5be5594667a7aa78a3ae60ffcbb81c0e4ddae1a866250634f3d97d459041888578b2121613e4ebc67e7dcc035a98ddc698068cb16d24ded676486532e312e9de0f1b56e4db93234000000046a89210794919dc0d3ea16a160d6f2f9d7527e4d689e71ecae1f7ade5dbadde6333ede2d56cf3d81461d337cf86a0e37da4497edbbadce9437b102ae0d5e63f	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C005EC8713C6"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C005EC8713C6 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000006a80b8df06ccced139e7819d64208f41a3ee98dd56de7729759102cf1921a38000000000e800000000200002000000031f677d9eac3f403d5e9feb28511bd741cfb472162df7430f217a42f695f42ed80000000bd91efad33243c318f5a2092d7b1edc66254c9a71aafe9b2f79ce5c2d9dd84b91b6a8cf9f70bdd6eac541f11f32a8b3cc7e14fd63fb9455d0b5f74d1ea9a1fdd4c3898be78a3328b0eb89378b81e7d1995e9219cd71c2a3d80d470ebb129b2dd79a63dea6f496b87f10d024e9174f3e305477f6e51464f144c04aca7d2e09af5400000005d9d9899f15876f59a0dcca1d9d96e70c95770fe1a7514ff19d83e6e8a7369682789af0d5acaa0b48e93e3e164a173d4f538e10608dcf0f4aa11a5bdda43bb13	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4384 AcroRd32.exe
4384 AcroRd32.exe
4384 AcroRd32.exe
4384 AcroRd32.exe

pid	process
4384	AcroRd32.exe
4384	AcroRd32.exe
4384	AcroRd32.exe
4384	AcroRd32.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\79b9782a1714f306f9e0e7ff83dfec2e2babc52613b815f04133859780d17f8b.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads