Analysis
-
max time kernel
97s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-05-2022 03:03
Behavioral task
behavioral1
Sample
DTO 180522.pdf
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DTO 180522.pdf
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
DTO 180522.pdf
-
Size
340KB
-
MD5
81cf65872d292024db54f2e99d1d3bfc
-
SHA1
cbcabfa46373ce2bfd440b1aae3a3f4612c74b43
-
SHA256
b001b7e0e15b1698ba365ca8b686177065c653d3cf78ee5dcb4e6468e188e361
-
SHA512
a11016d48bb49d1818d87ea9268cd403768db1bafa1b9bb45a1e280e5325309fc728e1af91066f05ad342fe2844321bb2c46112d69aa9d80bc0adf70f309bae2
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 4544 AdobeARM.exe 4544 AdobeARM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3220 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 3220 AcroRd32.exe 4544 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3220 wrote to memory of 4880 3220 AcroRd32.exe RdrCEF.exe PID 3220 wrote to memory of 4880 3220 AcroRd32.exe RdrCEF.exe PID 3220 wrote to memory of 4880 3220 AcroRd32.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4964 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe PID 4880 wrote to memory of 4620 4880 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DTO 180522.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6028833B2F892631FD55564D6A0B85E2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0F4F3EC0C50DB64003A610E232731F71 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0F4F3EC0C50DB64003A610E232731F71 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=66AAA45CF9A93A42CE0F09A60DB82BB0 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D5A63C00C38ADF74FDD852E1B79C8D1 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1EE408E8C472637532CEDAF53F025225 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1EE408E8C472637532CEDAF53F025225 --renderer-client-id=6 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2367F0E10D961DA6A9C8DC7D20AABCA6 --mojo-platform-channel-handle=2044 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2452-143-0x0000000000000000-mapping.dmp
-
memory/3896-151-0x0000000000000000-mapping.dmp
-
memory/4168-140-0x0000000000000000-mapping.dmp
-
memory/4224-154-0x0000000000000000-mapping.dmp
-
memory/4544-153-0x0000000000000000-mapping.dmp
-
memory/4620-135-0x0000000000000000-mapping.dmp
-
memory/4632-146-0x0000000000000000-mapping.dmp
-
memory/4880-130-0x0000000000000000-mapping.dmp
-
memory/4964-132-0x0000000000000000-mapping.dmp