General
Target

AcroRdrDC2200120117_en_US.exe

Filesize

224MB

Completed

16-05-2022 12:25

Task

behavioral1

Score
5/10
MD5

af268abc3885cdccb48b2c7dde9be143

SHA1

97297d264f0f1e0a865dfeba8bdcc3396bc37aaa

SHA256

d1c2f3167c2d4cf075690789753c2680a6196decfcb4b6bfe30335655abcf6cc

SHA256

6b2ce83ada107a77100c34d7bf62b90c0a77975d7085d07e7699f4ad0c1688129468e4e4f6f52603d29c0de12889aad71a39d1a07db8270a05cddbaedc1dda96

Malware Config
Signatures 4

Filter: none

Discovery
  • Drops file in System32 directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8FC8949D-CD4C-40C2-BAC0-EEDD104F2171}.catalogItemsvchost.exe
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1CE8B6C3-9E84-4029-8589-95349B11B689}.catalogItemsvchost.exe
  • Checks processor information in registry
    svchost.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringsvchost.exe
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0svchost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzsvchost.exe
  • Enumerates system info in registry
    svchost.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUsvchost.exe
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSsvchost.exe
  • Suspicious use of SetWindowsHookEx
    AcroRdrDC2200120117_en_US.exe

    Reported IOCs

    pidprocess
    4748AcroRdrDC2200120117_en_US.exe
    4748AcroRdrDC2200120117_en_US.exe
    4748AcroRdrDC2200120117_en_US.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\AcroRdrDC2200120117_en_US.exe
    "C:\Users\Admin\AppData\Local\Temp\AcroRdrDC2200120117_en_US.exe"
    Suspicious use of SetWindowsHookEx
    PID:4748
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    Drops file in System32 directory
    Checks processor information in registry
    Enumerates system info in registry
    PID:32
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads