General
Target

attachment20220623-10971-1iqgenl.pdf

Filesize

1MB

Completed

23-06-2022 15:19

Task

behavioral2

Score
1/10
MD5

43d9f57d9ca4b5a4c7f7b68df1fd1bb2

SHA1

00a001cc6f33a368d6dc7410e03fda78f1200bd5

SHA256

7d59e0ae82e0e139693e3e703a0ba86ca6022c15b8a8c416e46467c9553b9a25

SHA512

29ca49ad8d0dd877b3afdc94cdfaeeb78246923ab16cd582b70429139528925a4176b99f5491984ec8500695df1c0ab4e9228beb9c70bb52bb0e54862be1d03f

Malware Config
Signatures 6

Filter: none

Defense Evasion
Discovery
  • Checks processor information in registry
    AcroRd32.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0AcroRd32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzAcroRd32.exe
  • Modifies Internet Explorer settings
    AcroRd32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONAcroRd32.exe
  • Suspicious behavior: EnumeratesProcesses
    AcroRd32.exeAdobeARM.exe

    Reported IOCs

    pidprocess
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    1676AdobeARM.exe
    1676AdobeARM.exe
    1676AdobeARM.exe
    1676AdobeARM.exe
  • Suspicious use of FindShellTrayWindow
    AcroRd32.exe

    Reported IOCs

    pidprocess
    4116AcroRd32.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeAdobeARM.exe

    Reported IOCs

    pidprocess
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    4116AcroRd32.exe
    1676AdobeARM.exe
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeRdrCEF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4116 wrote to memory of 35324116AcroRd32.exeRdrCEF.exe
    PID 4116 wrote to memory of 35324116AcroRd32.exeRdrCEF.exe
    PID 4116 wrote to memory of 35324116AcroRd32.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2163532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
    PID 3532 wrote to memory of 2123532RdrCEF.exeRdrCEF.exe
Processes 11
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\attachment20220623-10971-1iqgenl.pdf"
    Checks processor information in registry
    Modifies Internet Explorer settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0BA813E666DB90A3A229C00DAE4A37D7 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:216
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A86D65EE6527CC78034A80727190C0C0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A86D65EE6527CC78034A80727190C0C0 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
        PID:212
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BE28F71C1AF1BC4EB658BA197CB7BCE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BE28F71C1AF1BC4EB658BA197CB7BCE7 --renderer-client-id=4 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
        PID:2432
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CDDAF0B13E5F06D50D3704C0075DC39B --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:3208
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20D573A3BDC917B9D12EA044CB077224 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:2024
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BB2BC68E147D41A0D980823ABF8ACAA0 --mojo-platform-channel-handle=2624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        PID:2596
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1676
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        PID:3080
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    PID:3720
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/212-135-0x0000000000000000-mapping.dmp

                      • memory/216-132-0x0000000000000000-mapping.dmp

                      • memory/1676-153-0x0000000000000000-mapping.dmp

                      • memory/2024-148-0x0000000000000000-mapping.dmp

                      • memory/2432-140-0x0000000000000000-mapping.dmp

                      • memory/2596-151-0x0000000000000000-mapping.dmp

                      • memory/3080-154-0x0000000000000000-mapping.dmp

                      • memory/3208-145-0x0000000000000000-mapping.dmp

                      • memory/3532-130-0x0000000000000000-mapping.dmp