Analysis
-
max time kernel
98s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:47
Behavioral task
behavioral1
Sample
da0f7469664ceb99267b7e37314217494dbd4ca142d67e234f43c6cfa3686054.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
da0f7469664ceb99267b7e37314217494dbd4ca142d67e234f43c6cfa3686054.pdf
Resource
win10v2004-20220414-en
General
-
Target
da0f7469664ceb99267b7e37314217494dbd4ca142d67e234f43c6cfa3686054.pdf
-
Size
304KB
-
MD5
49c4b1884e95860c331e39e6fdf1a522
-
SHA1
d1de0070816bdcecb4681f1ac6910fec87c5e5bc
-
SHA256
da0f7469664ceb99267b7e37314217494dbd4ca142d67e234f43c6cfa3686054
-
SHA512
1a665a0cf9b2386bab46c6d6f1fd2ff2581ad05e28503a036d053d4d76d82daf89921a5091fe6c8a4447d47bc81a8403b42abb27281e959196262c2ca1afa6c8
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 1172 AdobeARM.exe 1172 AdobeARM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4100 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 4100 AcroRd32.exe 1172 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4100 wrote to memory of 4644 4100 AcroRd32.exe RdrCEF.exe PID 4100 wrote to memory of 4644 4100 AcroRd32.exe RdrCEF.exe PID 4100 wrote to memory of 4644 4100 AcroRd32.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 5104 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe PID 4644 wrote to memory of 3508 4644 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\da0f7469664ceb99267b7e37314217494dbd4ca142d67e234f43c6cfa3686054.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BCE713863642234BB80308D7A07CD36 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=54EA65226318C28582F78329A4D5A962 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=54EA65226318C28582F78329A4D5A962 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=45E47F8CCE9213450AE7A71EA24F46D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=45E47F8CCE9213450AE7A71EA24F46D8 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DC598FE4472E805F3DB9DF33A298208A --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9863BDAFF009AFEABC043192FDBCD5DF --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D8D45CF5813B888D27738609F7967BF --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-153-0x0000000000000000-mapping.dmp
-
memory/2324-154-0x0000000000000000-mapping.dmp
-
memory/2980-148-0x0000000000000000-mapping.dmp
-
memory/3028-140-0x0000000000000000-mapping.dmp
-
memory/3040-143-0x0000000000000000-mapping.dmp
-
memory/3508-135-0x0000000000000000-mapping.dmp
-
memory/4320-151-0x0000000000000000-mapping.dmp
-
memory/4644-130-0x0000000000000000-mapping.dmp
-
memory/5104-132-0x0000000000000000-mapping.dmp