Analysis
-
max time kernel
82s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 05:23
Behavioral task
behavioral1
Sample
0cf8ca84678d628db61dd23d3c56020fbad178be28612057d204d740d4722faa.pdf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0cf8ca84678d628db61dd23d3c56020fbad178be28612057d204d740d4722faa.pdf
Resource
win10v2004-20220812-en
General
-
Target
0cf8ca84678d628db61dd23d3c56020fbad178be28612057d204d740d4722faa.pdf
-
Size
2.4MB
-
MD5
d59272131bbf08073cb274dffb45db69
-
SHA1
46fa81334a93b153b06255ec83db032983a738b7
-
SHA256
0cf8ca84678d628db61dd23d3c56020fbad178be28612057d204d740d4722faa
-
SHA512
87077201bf6edf5a30ea29d74f3acb5ea5de6c5839a980b5b4784e16719d8a49e1ccfbb728223d8842a89040f25c2ff5473be6f9c5b0f36f9a93165c2f8751b0
-
SSDEEP
49152:bKjGLw3KlvsNjnOC45HGNVVhoEwAjqtVQrUhS3JqBbe6JmQVXtT8zl2:Tw3K+NzSBuVsUWtVQrU43f6PJ3
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1476 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 1476 wrote to memory of 3556 1476 AcroRd32.exe RdrCEF.exe PID 1476 wrote to memory of 3556 1476 AcroRd32.exe RdrCEF.exe PID 1476 wrote to memory of 3556 1476 AcroRd32.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 1192 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe PID 3556 wrote to memory of 2932 3556 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0cf8ca84678d628db61dd23d3c56020fbad178be28612057d204d740d4722faa.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=813439B4D4192127A6F835938748271A --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A7797B906A38EF67CF013869FFA39FE6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A7797B906A38EF67CF013869FFA39FE6 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=73FBC870251B8B92A0348B07CC7879D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=73FBC870251B8B92A0348B07CC7879D9 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FEAADB7B439FD503D1691AEB304E0533 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE5155C1B6678A62AE4E9E6BCA424837 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E35877228D97FAE1F9A214888B16D5B4 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-134-0x0000000000000000-mapping.dmp
-
memory/1404-153-0x0000000000000000-mapping.dmp
-
memory/2400-150-0x0000000000000000-mapping.dmp
-
memory/2932-137-0x0000000000000000-mapping.dmp
-
memory/3256-147-0x0000000000000000-mapping.dmp
-
memory/3556-132-0x0000000000000000-mapping.dmp
-
memory/4348-142-0x0000000000000000-mapping.dmp