Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2022 06:34
Behavioral task
behavioral1
Sample
Digital forensics and incident response incident response techniques and procedures to respond to m.pdf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Digital forensics and incident response incident response techniques and procedures to respond to m.pdf
Resource
win10v2004-20220812-en
General
-
Target
Digital forensics and incident response incident response techniques and procedures to respond to m.pdf
-
Size
67.6MB
-
MD5
4b05d8c40a8facdea608f8a5dba6cd06
-
SHA1
c4c27a817c6b63164d1de3e0889302b5d92c2d7d
-
SHA256
e84fcb4980ba29bec4425981d3339e70b20c80516ad299f5f3f5c1d14e720155
-
SHA512
2b016df3a9514ddeb9ea6dc84c5b5b26ef06890b3310f44ec694fcec5d94d38eddf152ab1ba490012ec47aa3282715cb74353378bca6416ff636c82ac781b9fc
-
SSDEEP
1572864:X2OPjqNkw83WJ12SzWsMWFNZjh5XLZZFYc9Hg4viub6:mO7qNklwASd9jh5VZ2c24quW
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4108 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4108 wrote to memory of 1424 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 1424 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 1424 4108 AcroRd32.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 3732 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe PID 1424 wrote to memory of 2428 1424 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Digital forensics and incident response incident response techniques and procedures to respond to m.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=582E76DDD806396BC52BDB04BA0A1968 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=869FCA53CB74B79B946A361F17277843 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=869FCA53CB74B79B946A361F17277843 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=497B5753E98A0713BB07E44EA13F5A50 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=62D447C6C1813355768BD0E6998EA4E0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=62D447C6C1813355768BD0E6998EA4E0 --renderer-client-id=5 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7F11C737292211A7ECC9064CB344D2D6 --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F3B3D36C13A8700565A51DD46BA8969 --mojo-platform-channel-handle=2604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-145-0x0000000000000000-mapping.dmp
-
memory/1424-132-0x0000000000000000-mapping.dmp
-
memory/2428-137-0x0000000000000000-mapping.dmp
-
memory/3732-134-0x0000000000000000-mapping.dmp
-
memory/4004-153-0x0000000000000000-mapping.dmp
-
memory/4288-150-0x0000000000000000-mapping.dmp
-
memory/4600-142-0x0000000000000000-mapping.dmp