Analysis
-
max time kernel
52s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
01-04-2022 03:15
Behavioral task
behavioral1
Sample
Ariba Network_KR (Agent).pdf
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
Ariba Network_KR (Agent).pdf
Resource
win10v2004-20220331-en
Behavioral task
behavioral3
Sample
image002.png
Resource
win7-20220331-en
Behavioral task
behavioral4
Sample
image002.png
Resource
win10v2004-20220310-en
General
-
Target
Ariba Network_KR (Agent).pdf
-
Size
884KB
-
MD5
0fef7495ef19c7270c708bd75b9803ce
-
SHA1
9a425bdfce7bc078fdb2a21a4ddce82765be8ea0
-
SHA256
aa6a53248827897dcbc0e4c56e4e471294fb8d16bb70850cc15357cad6cfb147
-
SHA512
85f18c9094b6d2dfa2bf91ac588ed7c5164a6ffe51bcab69fe4d62f57527ca0e2b7163c9e8e12e282eb96b9562e3ee718f502bff84b8aa621ec3c04a0cc2699b
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 860 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 860 AcroRd32.exe 860 AcroRd32.exe 860 AcroRd32.exe 860 AcroRd32.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ariba Network_KR (Agent).pdf"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:860