Analysis
-
max time kernel
75s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2022 11:20
Behavioral task
behavioral1
Sample
aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf
Resource
win10v2004-20220812-en
General
-
Target
aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf
-
Size
1.2MB
-
MD5
ff64ba069866613a687377d50f4682ed
-
SHA1
095146b63035b09180b23ef054d248631e96f9d0
-
SHA256
5b3ef0461b63988396f3853ad4aa0fdf1341cabd8c82460f1e25bdd12e90e53a
-
SHA512
98ea9ce098d59f7d311f952d9c795822afb929a0c0c627a50a12318b18b30debe3ca56127e813903750af730a58588fc2719aa0558d96352d440e36905c7b098
-
SSDEEP
24576:fFCkmt44nH4wPjGwRe8q9NxnIN5WidUdlPrJkujIYsSHm6sdg6dQJHy:9CvRvNRe8q9NpIN4uU3l5jf3Hm6sdgd0
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4344 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe 4344 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4344 wrote to memory of 4876 4344 AcroRd32.exe RdrCEF.exe PID 4344 wrote to memory of 4876 4344 AcroRd32.exe RdrCEF.exe PID 4344 wrote to memory of 4876 4344 AcroRd32.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 3776 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe PID 4876 wrote to memory of 4380 4876 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5D63548F8FEB03A9D9AB08C48E1D1EB --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E4EBB109DDE5A0B0FF5516A384511169 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E4EBB109DDE5A0B0FF5516A384511169 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=95257E4A01C36C0E7D6F25695B3FDBEF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=95257E4A01C36C0E7D6F25695B3FDBEF --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72C5A59F53D03890CBFD008D34E8A372 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2FC545269EBFD78180926B797211132E --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A29D4E6AD7ED057FACB2C21D2F3C75B4 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3156-142-0x0000000000000000-mapping.dmp
-
memory/3468-153-0x0000000000000000-mapping.dmp
-
memory/3516-147-0x0000000000000000-mapping.dmp
-
memory/3776-134-0x0000000000000000-mapping.dmp
-
memory/4356-150-0x0000000000000000-mapping.dmp
-
memory/4380-137-0x0000000000000000-mapping.dmp
-
memory/4876-132-0x0000000000000000-mapping.dmp