Analysis
-
max time kernel
86s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 02:27
Behavioral task
behavioral1
Sample
f571cd8bf981f4f04424f8b688b25fc8c63513456ecd351a1f1106bcf47d0a03.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f571cd8bf981f4f04424f8b688b25fc8c63513456ecd351a1f1106bcf47d0a03.pdf
Resource
win10v2004-20220812-en
General
-
Target
f571cd8bf981f4f04424f8b688b25fc8c63513456ecd351a1f1106bcf47d0a03.pdf
-
Size
2.5MB
-
MD5
21acccb71d6b5a07f9bf7ea551ca420d
-
SHA1
1efbaa08827d8bad2e903ee86e70352f13f8cdef
-
SHA256
f571cd8bf981f4f04424f8b688b25fc8c63513456ecd351a1f1106bcf47d0a03
-
SHA512
906ac76f4a8f42f22a3895697d25c569309d5f682c60a89a1c718b7692afb05286778a2354d2a0ecf844255b5e11108e55fc0e8097492f24db6944c379068c7d
-
SSDEEP
49152:A6vVdfZtltcGvB3Nl+xq+d1geqBFAucsEmGIBtWiqFUyM80wVMtTGuK9FrrRAgTv:1VBl6GvB9ejdQWiqFUJqRWl6QTXE
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4108 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4108 wrote to memory of 1200 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 1200 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 1200 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 4356 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 4356 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 4356 4108 AcroRd32.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 532 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe PID 1200 wrote to memory of 3860 1200 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f571cd8bf981f4f04424f8b688b25fc8c63513456ecd351a1f1106bcf47d0a03.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4FAA0F367201A19CB3562D68BCE6BF8C --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=812E33550A9DC9377A2C8CA87F630FC2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=812E33550A9DC9377A2C8CA87F630FC2 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A27736AD18B1FDFE45D297025E87C731 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A27736AD18B1FDFE45D297025E87C731 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BA8D9BC9F523D0876B47BBF3ED35D85E --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B520268FBCDD156335358E4A0163A35E --mojo-platform-channel-handle=1936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=409822AEBFC776D183F9F640C82A871A --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-135-0x0000000000000000-mapping.dmp
-
memory/644-154-0x0000000000000000-mapping.dmp
-
memory/1200-132-0x0000000000000000-mapping.dmp
-
memory/2504-151-0x0000000000000000-mapping.dmp
-
memory/2688-148-0x0000000000000000-mapping.dmp
-
memory/3312-143-0x0000000000000000-mapping.dmp
-
memory/3860-138-0x0000000000000000-mapping.dmp
-
memory/4356-133-0x0000000000000000-mapping.dmp