Analysis
-
max time kernel
138s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 21:27
Behavioral task
behavioral1
Sample
b7fba489539755a3fff1b93c05a1093b3379f55aa1c29e829a7701ebb7730f8f.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b7fba489539755a3fff1b93c05a1093b3379f55aa1c29e829a7701ebb7730f8f.pdf
Resource
win10v2004-20220414-en
General
-
Target
b7fba489539755a3fff1b93c05a1093b3379f55aa1c29e829a7701ebb7730f8f.pdf
-
Size
17KB
-
MD5
c0ca787c74fa8bfec8cef8d5563779bd
-
SHA1
c2c8c9a71fd1f055695b319548ee919324f33a8e
-
SHA256
b7fba489539755a3fff1b93c05a1093b3379f55aa1c29e829a7701ebb7730f8f
-
SHA512
f36d3ffb126cd0899d41d4037e5adb2960e21110c7cc4a4f3dc5fd5e4b6aab5c6b14e772a81778f6bd0ff7f2fc773b0523571562a097dac5e12728eefcd40ece
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 1968 AdobeARM.exe 1968 AdobeARM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4864 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 4864 AcroRd32.exe 1968 AdobeARM.exe 4864 AcroRd32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
AcroRd32.exeAdobeARM.exedescription pid process target process PID 4864 wrote to memory of 1368 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1368 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1368 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 2952 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 2952 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 2952 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 3852 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 3852 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 3852 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1848 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1848 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1848 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 4436 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 4436 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 4436 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1900 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1900 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1900 4864 AcroRd32.exe RdrCEF.exe PID 4864 wrote to memory of 1968 4864 AcroRd32.exe AdobeARM.exe PID 4864 wrote to memory of 1968 4864 AcroRd32.exe AdobeARM.exe PID 4864 wrote to memory of 1968 4864 AcroRd32.exe AdobeARM.exe PID 1968 wrote to memory of 1156 1968 AdobeARM.exe Reader_sl.exe PID 1968 wrote to memory of 1156 1968 AdobeARM.exe Reader_sl.exe PID 1968 wrote to memory of 1156 1968 AdobeARM.exe Reader_sl.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b7fba489539755a3fff1b93c05a1093b3379f55aa1c29e829a7701ebb7730f8f.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-137-0x0000000000000000-mapping.dmp
-
memory/1368-130-0x0000000000000000-mapping.dmp
-
memory/1848-133-0x0000000000000000-mapping.dmp
-
memory/1900-135-0x0000000000000000-mapping.dmp
-
memory/1968-136-0x0000000000000000-mapping.dmp
-
memory/2952-131-0x0000000000000000-mapping.dmp
-
memory/3852-132-0x0000000000000000-mapping.dmp
-
memory/4436-134-0x0000000000000000-mapping.dmp