Analysis
-
max time kernel
77s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 18:52
Behavioral task
behavioral1
Sample
19.458%24%20Need%20to%20move%20you%20have%2024%20hours-7015E5OYN70k1DuJI5AUuDJEm6Vc.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
19.458%24%20Need%20to%20move%20you%20have%2024%20hours-7015E5OYN70k1DuJI5AUuDJEm6Vc.pdf
Resource
win10v2004-20220812-en
General
-
Target
19.458%24%20Need%20to%20move%20you%20have%2024%20hours-7015E5OYN70k1DuJI5AUuDJEm6Vc.pdf
-
Size
517KB
-
MD5
0ad7c8ed6c5ff650da213cd211861f66
-
SHA1
8c261293d66ab7262c927627acc0e92ed37a67e0
-
SHA256
b90c4524fadcc5570232022977a5524de4b06bde1f014be6d93d9e46acb0c76a
-
SHA512
4b07dc7b1791cb83c7a3911ae4c3142a38099c0052d00c9edcb9dc43d96c697a09e443ce8ce194e31c2b5ee1364ba458b092750cee57b251a7b94b59398e9334
-
SSDEEP
12288:mN9Jt01lnV9HowGVlFcEXM5YDuBF647HBTNPcocHQx:K7G1lTolFs5YDub647h6Y
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3044 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe 3044 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3044 wrote to memory of 4816 3044 AcroRd32.exe RdrCEF.exe PID 3044 wrote to memory of 4816 3044 AcroRd32.exe RdrCEF.exe PID 3044 wrote to memory of 4816 3044 AcroRd32.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 1284 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe PID 4816 wrote to memory of 4992 4816 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\19.458%24%20Need%20to%20move%20you%20have%2024%20hours-7015E5OYN70k1DuJI5AUuDJEm6Vc.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=55B64D8519147EC991A9517D9EEB559E --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=062CDEFE7C270C4F20A5ED147FA15373 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=062CDEFE7C270C4F20A5ED147FA15373 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C7008EBF9C010182E9539657640DF702 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3417EAB32491AC3D407FE13667C2E009 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3417EAB32491AC3D407FE13667C2E009 --renderer-client-id=5 --mojo-platform-channel-handle=1872 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=891623238909A207F52121279C0C0458 --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=120276211368CDD5F1095A166D0F622C --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1284-134-0x0000000000000000-mapping.dmp
-
memory/2520-142-0x0000000000000000-mapping.dmp
-
memory/2540-150-0x0000000000000000-mapping.dmp
-
memory/3148-145-0x0000000000000000-mapping.dmp
-
memory/4600-153-0x0000000000000000-mapping.dmp
-
memory/4816-132-0x0000000000000000-mapping.dmp
-
memory/4992-137-0x0000000000000000-mapping.dmp