Analysis
-
max time kernel
92s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 08:52
Behavioral task
behavioral1
Sample
d594132e612c9625f7cf7cdaaf04c256def9cc08a4c687e6a400e3e7101da9ff.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d594132e612c9625f7cf7cdaaf04c256def9cc08a4c687e6a400e3e7101da9ff.pdf
Resource
win10v2004-20220812-en
General
-
Target
d594132e612c9625f7cf7cdaaf04c256def9cc08a4c687e6a400e3e7101da9ff.pdf
-
Size
1.9MB
-
MD5
dac4e4e95a16eee2d6ce835769783b8d
-
SHA1
bfd8d830246e7c0db24ecdcf5aed24c234e1bae8
-
SHA256
d594132e612c9625f7cf7cdaaf04c256def9cc08a4c687e6a400e3e7101da9ff
-
SHA512
c463e8a87059ab5656a3924cc0edcc423ebac697ac16e411d82b70bcad7fc9903995706e7b6dc0b9571ecd330e2cab6ae340b479625fac7160f312fd0fc8a693
-
SSDEEP
24576:m9EuGoO2uQbIsX5WEm163IaDFacoEM8KbaiJCA5/RtPcSImfrlQXG5ACX:m9EKO2uQdJWV164M0cIDuiRPPRImf6s
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4980 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe 4980 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4980 wrote to memory of 3512 4980 AcroRd32.exe RdrCEF.exe PID 4980 wrote to memory of 3512 4980 AcroRd32.exe RdrCEF.exe PID 4980 wrote to memory of 3512 4980 AcroRd32.exe RdrCEF.exe PID 4980 wrote to memory of 632 4980 AcroRd32.exe RdrCEF.exe PID 4980 wrote to memory of 632 4980 AcroRd32.exe RdrCEF.exe PID 4980 wrote to memory of 632 4980 AcroRd32.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 2244 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe PID 3512 wrote to memory of 4352 3512 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d594132e612c9625f7cf7cdaaf04c256def9cc08a4c687e6a400e3e7101da9ff.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C6E8B123487E1669172432C4922244C6 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7AFAD57DA844FE702049DD774492BB8C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7AFAD57DA844FE702049DD774492BB8C --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C59A3BD8359043B536375042E3E83927 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C59A3BD8359043B536375042E3E83927 --renderer-client-id=4 --mojo-platform-channel-handle=2152 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3BC62C2946A664220028972504147AA8 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=60ACAB037B953B1615B1DD40FF434266 --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B928814E4F5D6BF2A313659EB0164F3B --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/484-148-0x0000000000000000-mapping.dmp
-
memory/632-133-0x0000000000000000-mapping.dmp
-
memory/1356-151-0x0000000000000000-mapping.dmp
-
memory/2244-135-0x0000000000000000-mapping.dmp
-
memory/2532-143-0x0000000000000000-mapping.dmp
-
memory/3512-132-0x0000000000000000-mapping.dmp
-
memory/3740-154-0x0000000000000000-mapping.dmp
-
memory/4352-138-0x0000000000000000-mapping.dmp