General
Target

9100955b35c715daf84cd0446c5c1ab10140691aeee4f6c945ada04aa1edbee8.pdf

Filesize

861KB

Completed

14-05-2022 21:20

Task

behavioral2

Score
1/10
MD5

79b44b5f3b913e1b7d4202799073c820

SHA1

a7e5d67b7479c649c9ffa2f7a14bd7c1b989cc6c

SHA256

9100955b35c715daf84cd0446c5c1ab10140691aeee4f6c945ada04aa1edbee8

SHA512

6bf072f478a91650d93b9cbe3d82f546aa8036246c01257f56932862cf5dcdb7d8b06c7ba04c23670a5cadbc95eae4fbf68bd4c6c4a269dcd23083e572bbfde3

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Checks processor information in registry
    AcroRd32.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0AcroRd32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzAcroRd32.exe
  • Modifies Internet Explorer settings
    AcroRd32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONAcroRd32.exe
  • Suspicious behavior: EnumeratesProcesses
    AcroRd32.exeAdobeARM.exe

    Reported IOCs

    pidprocess
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    3844AdobeARM.exe
    3844AdobeARM.exe
  • Suspicious use of FindShellTrayWindow
    AcroRd32.exe

    Reported IOCs

    pidprocess
    1876AcroRd32.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeAdobeARM.exe

    Reported IOCs

    pidprocess
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    1876AcroRd32.exe
    3844AdobeARM.exe
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeRdrCEF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1876 wrote to memory of 36241876AcroRd32.exeRdrCEF.exe
    PID 1876 wrote to memory of 36241876AcroRd32.exeRdrCEF.exe
    PID 1876 wrote to memory of 36241876AcroRd32.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 45203624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
    PID 3624 wrote to memory of 49043624RdrCEF.exeRdrCEF.exe
Processes 11
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\9100955b35c715daf84cd0446c5c1ab10140691aeee4f6c945ada04aa1edbee8.pdf"
    Checks processor information in registry
    Modifies Internet Explorer settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1423AC274D5EF4E1C3EEB23E5649DD03 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:4520
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2FED852DD26C63C723478BDFBF4E8A5A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2FED852DD26C63C723478BDFBF4E8A5A --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
        PID:4904
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2056A845F9E8743F182EC24937496ABE --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3560
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=29A2F4618D5135199BEB28EB55A0BC66 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=29A2F4618D5135199BEB28EB55A0BC66 --renderer-client-id=5 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
        PID:2536
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C5FB018B35F7F93F21583D2F082FD309 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:2716
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87E740F9EFBC2B6674C982B0B4A1BB6E --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3204
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3844
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        PID:3684
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    PID:1308
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/2536-143-0x0000000000000000-mapping.dmp

                      • memory/2716-147-0x0000000000000000-mapping.dmp

                      • memory/3204-151-0x0000000000000000-mapping.dmp

                      • memory/3560-140-0x0000000000000000-mapping.dmp

                      • memory/3624-130-0x0000000000000000-mapping.dmp

                      • memory/3684-154-0x0000000000000000-mapping.dmp

                      • memory/3844-153-0x0000000000000000-mapping.dmp

                      • memory/4520-132-0x0000000000000000-mapping.dmp

                      • memory/4904-135-0x0000000000000000-mapping.dmp