e8c2c5b0c5bf3a53fe906898b065f8441d886793ff719f670bee84cd5faa65ec

General

Target

f_00c87e.pdf
Size

2.2MB
MD5

79741caed62a4031925b0f47b791820b
SHA1

7d63b93d981158967ca6893af36e86d48e905f0d
SHA256

b2e3559e24626ce939655d08309ae71363dd46c6318155d0e5bda61c9623457e
SHA512

5b65a4b122098b204c60abe1debabc27e24ffc23d8306de5bec837d5dd6f95bbbb26be6ed4d1d627a876eed7cb91a5cf1b0f0b1863848b3a669d1d0cb604311c
SSDEEP

49152:YeRlF+yqDHPDGXRY5ch6VtKGelXP9Co+384nWq:DF+yqD+EHKHP9bL4l

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe
5016	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

5016 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

5016 AcroRd32.exe
5016 AcroRd32.exe
5016 AcroRd32.exe
5016 AcroRd32.exe
5016 AcroRd32.exe
5016 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 5016 wrote to memory of 4720	5016	AcroRd32.exe	RdrCEF.exe
PID 5016 wrote to memory of 4720	5016	AcroRd32.exe	RdrCEF.exe
PID 5016 wrote to memory of 4720	5016	AcroRd32.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 4224	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe
PID 4720 wrote to memory of 2672	4720	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f_00c87e.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=56CFAAE2846200105E1AF17747AF4BAD --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4224
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D6C33CC01C515FE04627E334A1B49C98 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D6C33CC01C515FE04627E334A1B49C98 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2672
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B17474643DFF3F1771E3744A00835DB8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B17474643DFF3F1771E3744A00835DB8 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9AE0935049897D670A85F47AD08CD43C --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CD311DC1D54D1E7A8D4568D719604F4C --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FCB547810AB17FDE67989BBFAD0F966B --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-142-0x0000000000000000-mapping.dmp

Download
memory/2556-153-0x0000000000000000-mapping.dmp

Download
memory/2672-137-0x0000000000000000-mapping.dmp

Download
memory/4224-134-0x0000000000000000-mapping.dmp

Download
memory/4720-132-0x0000000000000000-mapping.dmp

Download
memory/4748-147-0x0000000000000000-mapping.dmp

Download
memory/4804-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads