Analysis
-
max time kernel
205s -
max time network
254s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 05:04
Behavioral task
behavioral1
Sample
7e12a133e04315fd416fb9c2c06d6dac7df5bba405f34151b0ce1a7ce452500d.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7e12a133e04315fd416fb9c2c06d6dac7df5bba405f34151b0ce1a7ce452500d.pdf
Resource
win10v2004-20220414-en
General
-
Target
7e12a133e04315fd416fb9c2c06d6dac7df5bba405f34151b0ce1a7ce452500d.pdf
-
Size
166KB
-
MD5
d0c9713f383d455e2bade568312ef250
-
SHA1
26b2c3ebe022665958ed91bcd5959390efd994e6
-
SHA256
7e12a133e04315fd416fb9c2c06d6dac7df5bba405f34151b0ce1a7ce452500d
-
SHA512
1f27025328afebe31619c5a9a2464c95bc1181ea8677341a43d3095106fff0d3e0cfbd57e012608f98641f71cb3acb1f383d568eed772de1bb34536ef020e8a2
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
AcroRd32.exepid process 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 5028 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe 5028 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 5028 wrote to memory of 3492 5028 AcroRd32.exe RdrCEF.exe PID 5028 wrote to memory of 3492 5028 AcroRd32.exe RdrCEF.exe PID 5028 wrote to memory of 3492 5028 AcroRd32.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 3848 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe PID 3492 wrote to memory of 532 3492 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7e12a133e04315fd416fb9c2c06d6dac7df5bba405f34151b0ce1a7ce452500d.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F7C4EBC458B62E8229CB394A38AD582 --mojo-platform-channel-handle=1684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=98BEB6415A983B621289A02551AC5560 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=98BEB6415A983B621289A02551AC5560 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=063C4BBBFAF9DA7D6A98BE52CBC39B84 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=063C4BBBFAF9DA7D6A98BE52CBC39B84 --renderer-client-id=4 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=49E23A3A91029DE227AF377FAC134E79 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0B527D4CBCF14462F05BC3D94F70ABA --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FDA07800DDCCDE9D659A14976DBFB271 --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-135-0x0000000000000000-mapping.dmp
-
memory/2360-145-0x0000000000000000-mapping.dmp
-
memory/2544-151-0x0000000000000000-mapping.dmp
-
memory/3104-148-0x0000000000000000-mapping.dmp
-
memory/3492-130-0x0000000000000000-mapping.dmp
-
memory/3848-132-0x0000000000000000-mapping.dmp
-
memory/4512-140-0x0000000000000000-mapping.dmp