Analysis
-
max time kernel
139s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:47
Static task
static1
Behavioral task
behavioral1
Sample
NEW PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW PO.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PO.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Quote for 20FT Tank Containers CYPRUSx.pdf
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Quote for 20FT Tank Containers CYPRUSx.pdf
Resource
win10v2004-20220414-en
General
-
Target
Quote for 20FT Tank Containers CYPRUSx.pdf
-
Size
113KB
-
MD5
194071ad3eccf329f3cd8aed324767df
-
SHA1
333416d0c58eed30b7c4cdfbd13dd76ebf5149c9
-
SHA256
3fed114564e25d121f53f45426c0c4b17449229194e3fe7b411640250389963e
-
SHA512
7e6445534679226a07875d83872a7a9ba598242c0c16b3a22f7b3c68b1f1980f5b325da9ffb4b2568edfb610ac2ec496fda8a6a9ee23317cf5bff88eb34cc571
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1584 AdobeARM.exe 1584 AdobeARM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1756 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1756 AcroRd32.exe 1584 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 1756 wrote to memory of 1064 1756 AcroRd32.exe RdrCEF.exe PID 1756 wrote to memory of 1064 1756 AcroRd32.exe RdrCEF.exe PID 1756 wrote to memory of 1064 1756 AcroRd32.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 2824 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe PID 1064 wrote to memory of 3864 1064 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Quote for 20FT Tank Containers CYPRUSx.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF6FCDA0EF12D1179A90718AE7A939CA --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6B62A192EFB32467FE77C9FD876CF8BC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6B62A192EFB32467FE77C9FD876CF8BC --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5DFC7A770B7DF2C15ABA5B1092CDF04C --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=893D858B92C5064574C55C1C1C650E7B --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C73B984084706ADA251F7DBB18045B03 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C73B984084706ADA251F7DBB18045B03 --renderer-client-id=6 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=41A33BECDB4A72AD3CEA2878A6C6C57A --mojo-platform-channel-handle=2044 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1064-130-0x0000000000000000-mapping.dmp
-
memory/1352-146-0x0000000000000000-mapping.dmp
-
memory/1584-153-0x0000000000000000-mapping.dmp
-
memory/2708-151-0x0000000000000000-mapping.dmp
-
memory/2824-132-0x0000000000000000-mapping.dmp
-
memory/2968-140-0x0000000000000000-mapping.dmp
-
memory/3420-154-0x0000000000000000-mapping.dmp
-
memory/3864-135-0x0000000000000000-mapping.dmp
-
memory/3916-143-0x0000000000000000-mapping.dmp