Overview

overview

3

Static

static

3

cd8c8f5b11...a3.pdf

windows7_x64

1

cd8c8f5b11...a3.pdf

windows10-2004_x64

1

Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd8c8f5b11cf8df7ea533c8b1562130a07b01ef700dfa45bce2f4c8bacab3da3.pdf

  • Size

    16KB

  • MD5

    c3305c69b7ee396346405ae184a83fc5

  • SHA1

    6614dc4898d06ea745e0dc5870bd29d0f5c32e74

  • SHA256

    cd8c8f5b11cf8df7ea533c8b1562130a07b01ef700dfa45bce2f4c8bacab3da3

  • SHA512

    b57008645fe87933841fecf049d56eb3a5ba5703bd236ae50404e4c7e09ccbab52c74fc6a7323814e2b530ae9dd66ebe08e2420c0aa16a2fc1030a9924bc15a0

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cd8c8f5b11cf8df7ea533c8b1562130a07b01ef700dfa45bce2f4c8bacab3da3.pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
        PID:2120
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        2⤵
          PID:2004
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          2⤵
            PID:3704
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            2⤵
              PID:1264
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              2⤵
                PID:4316
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                2⤵
                  PID:4704
                • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:364
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
                    3⤵
                      PID:1472

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/364-136-0x0000000000000000-mapping.dmp
                  Download
                • memory/1264-133-0x0000000000000000-mapping.dmp
                  Download
                • memory/1472-137-0x0000000000000000-mapping.dmp
                  Download
                • memory/2004-131-0x0000000000000000-mapping.dmp
                  Download
                • memory/2120-130-0x0000000000000000-mapping.dmp
                  Download
                • memory/3704-132-0x0000000000000000-mapping.dmp
                  Download
                • memory/4316-134-0x0000000000000000-mapping.dmp
                  Download
                • memory/4704-135-0x0000000000000000-mapping.dmp
                  Download