General
Target

e0d7fadbfdc8eaad4071e6d99698f460f9eae7ddd1b27e2d21028dbd10fa0d5a.pdf

Filesize

1MB

Completed

21-05-2022 11:29

Task

behavioral2

Score
1/10
MD5

c53186df717d8037ff5edb0fc9736dda

SHA1

510cf2f79270303ca5a18474ca541d0ecb20c599

SHA256

e0d7fadbfdc8eaad4071e6d99698f460f9eae7ddd1b27e2d21028dbd10fa0d5a

SHA512

4a3b8fd9d1fe648373b1f3b90e53b726c62da083feb6e70345dcd8386c04b77e85a12367e74278467e092e4a5b30f9c8c5f7174f7a83de72d951db36b763eb10

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Checks processor information in registry
    AcroRd32.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0AcroRd32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzAcroRd32.exe
  • Modifies Internet Explorer settings
    AcroRd32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONAcroRd32.exe
  • Suspicious behavior: EnumeratesProcesses
    AcroRd32.exeAdobeARM.exe

    Reported IOCs

    pidprocess
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    3324AdobeARM.exe
    3324AdobeARM.exe
  • Suspicious use of FindShellTrayWindow
    AcroRd32.exe

    Reported IOCs

    pidprocess
    2320AcroRd32.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeAdobeARM.exe

    Reported IOCs

    pidprocess
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
    3324AdobeARM.exe
    2320AcroRd32.exe
    2320AcroRd32.exe
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeRdrCEF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2320 wrote to memory of 17402320AcroRd32.exeRdrCEF.exe
    PID 2320 wrote to memory of 17402320AcroRd32.exeRdrCEF.exe
    PID 2320 wrote to memory of 17402320AcroRd32.exeRdrCEF.exe
    PID 2320 wrote to memory of 45122320AcroRd32.exeRdrCEF.exe
    PID 2320 wrote to memory of 45122320AcroRd32.exeRdrCEF.exe
    PID 2320 wrote to memory of 45122320AcroRd32.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 41961740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
    PID 1740 wrote to memory of 23841740RdrCEF.exeRdrCEF.exe
Processes 11
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\e0d7fadbfdc8eaad4071e6d99698f460f9eae7ddd1b27e2d21028dbd10fa0d5a.pdf"
    Checks processor information in registry
    Modifies Internet Explorer settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5336F26ED704CD5E592344717853290 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:4196
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1AC4375B02753C86E37358D19083B6CC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1AC4375B02753C86E37358D19083B6CC --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
        PID:2384
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=224108DB08174FAA85EF5257578513DD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=224108DB08174FAA85EF5257578513DD --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
        PID:4916
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=912F00EC03A34E246CC7D139295075D4 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:4564
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=879BDDDBEC7EA4229D2A2F57AFA7ACC9 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:4064
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=490B1E3FA712FF2F72E128E3447C4B56 --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:1460
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      PID:4512
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3324
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        PID:4048
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1460-152-0x0000000000000000-mapping.dmp

                      • memory/1740-130-0x0000000000000000-mapping.dmp

                      • memory/2384-136-0x0000000000000000-mapping.dmp

                      • memory/3324-154-0x0000000000000000-mapping.dmp

                      • memory/4048-155-0x0000000000000000-mapping.dmp

                      • memory/4064-149-0x0000000000000000-mapping.dmp

                      • memory/4196-133-0x0000000000000000-mapping.dmp

                      • memory/4512-131-0x0000000000000000-mapping.dmp

                      • memory/4564-146-0x0000000000000000-mapping.dmp

                      • memory/4916-141-0x0000000000000000-mapping.dmp