Analysis
-
max time kernel
68s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 13:30
Behavioral task
behavioral1
Sample
3bf14ffa7140a6616cb336d429821f7ffbe60ef1993dd24380903bf02bf12fd0.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3bf14ffa7140a6616cb336d429821f7ffbe60ef1993dd24380903bf02bf12fd0.pdf
Resource
win10v2004-20220812-en
General
-
Target
3bf14ffa7140a6616cb336d429821f7ffbe60ef1993dd24380903bf02bf12fd0.pdf
-
Size
984KB
-
MD5
30f1f4cc620243c0badcdd0178b37a29
-
SHA1
32ca9a84c820239c4a8c8525ebc1bfc2d2022c9c
-
SHA256
3bf14ffa7140a6616cb336d429821f7ffbe60ef1993dd24380903bf02bf12fd0
-
SHA512
044b11615142331651e9fc51d9813bfef5cc15dfe6059b822012a5c0b15c3bb27747448745e520d42c82bab1d6fa95bb811c8835b2e8aa3829f16c82e6be0747
-
SSDEEP
24576:/RlnFrD1S8DD34BfTFywnlMQjt3e1tVrQuaK14yHiSGL5V:JwhBfTgwnnjNe1tVrUKRnY
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4932 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe 4932 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4932 wrote to memory of 3980 4932 AcroRd32.exe RdrCEF.exe PID 4932 wrote to memory of 3980 4932 AcroRd32.exe RdrCEF.exe PID 4932 wrote to memory of 3980 4932 AcroRd32.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 5116 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe PID 3980 wrote to memory of 4300 3980 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3bf14ffa7140a6616cb336d429821f7ffbe60ef1993dd24380903bf02bf12fd0.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9F0FE2CAB77F415D32FFBD1DE0148AA1 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0661BC6FEB733990123747321FACFB2E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0661BC6FEB733990123747321FACFB2E --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=02473160BE051527ED5918322C3739A0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=02473160BE051527ED5918322C3739A0 --renderer-client-id=4 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=236CFD662F5A5386DEECF398901C694C --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=88A1F2C19489A9435067DB6AA6908128 --mojo-platform-channel-handle=1912 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F87EC74FF419DC93933CA6051032F33 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/116-142-0x0000000000000000-mapping.dmp
-
memory/1140-150-0x0000000000000000-mapping.dmp
-
memory/3132-153-0x0000000000000000-mapping.dmp
-
memory/3164-147-0x0000000000000000-mapping.dmp
-
memory/3980-132-0x0000000000000000-mapping.dmp
-
memory/4300-137-0x0000000000000000-mapping.dmp
-
memory/5116-134-0x0000000000000000-mapping.dmp