Analysis
-
max time kernel
80s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 20:14
Behavioral task
behavioral1
Sample
Im Glad My Mom Died (Jennette McCurdy) (z-lib.org).pdf
Resource
win10v2004-20220901-en
Behavioral task
behavioral2
Sample
Im Glad My Mom Died (Jennette McCurdy) (z-lib.org).pdf
Resource
macos-20220504-en
General
-
Target
Im Glad My Mom Died (Jennette McCurdy) (z-lib.org).pdf
-
Size
2.6MB
-
MD5
7218eab70ec87e9d80653bf130762521
-
SHA1
f8cd2d3743e2213ceb0d547ff885f327feccd269
-
SHA256
363e649cb9a933cdb7a8f801d819c71d382c3ab8274553ecf3481251c2b877fa
-
SHA512
686b42d97ae2701822025456c04a583b13ecf99955b5bf5a210cccf38b0043d39252bc843992773da593aee6bd5a0ed9a31e6cfd47e8dd17b85b4b3dfed786fb
-
SSDEEP
49152:vZ4bX7+2pWPCXxNrLtCr25kxhDk9WqZ+L617hMq:vZKXi0WqXK2+DkCmN
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3852 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe 3852 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3852 wrote to memory of 1096 3852 AcroRd32.exe RdrCEF.exe PID 3852 wrote to memory of 1096 3852 AcroRd32.exe RdrCEF.exe PID 3852 wrote to memory of 1096 3852 AcroRd32.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 2476 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe PID 1096 wrote to memory of 5048 1096 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Im Glad My Mom Died (Jennette McCurdy) (z-lib.org).pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E0F131AB886DE4EA2A7BA5B6B99B9918 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9BEC294160E989AC03298F026B2D42FA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9BEC294160E989AC03298F026B2D42FA --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CAE96739097093D683898C71DB23E2BC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CAE96739097093D683898C71DB23E2BC --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9229F594739BD4D34E1B5B1F40C2B79 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C0DA78A90A6D5D7B4372EEDB80AA82B --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC81D7EE844C868C010FD6C2700F5F95 --mojo-platform-channel-handle=2580 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-132-0x0000000000000000-mapping.dmp
-
memory/1844-142-0x0000000000000000-mapping.dmp
-
memory/2476-134-0x0000000000000000-mapping.dmp
-
memory/3284-150-0x0000000000000000-mapping.dmp
-
memory/3456-147-0x0000000000000000-mapping.dmp
-
memory/4640-153-0x0000000000000000-mapping.dmp
-
memory/5048-137-0x0000000000000000-mapping.dmp