Analysis
-
max time kernel
9s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 06:38
Behavioral task
behavioral1
Sample
837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f.pdf
Resource
win10v2004-20220901-en
General
-
Target
837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f.pdf
-
Size
35KB
-
MD5
363c95666cf1e80072656c7b562c4dbb
-
SHA1
7a23212950497a989bd2d33f8d5ac7227f00165d
-
SHA256
837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f
-
SHA512
02d861dd8a858d22ec9c600c9620a11273059fd90a0c76d39a6f4ff48db3efc125e6240cbc94672b91e8f9ed6c9e7040119acf2e17d5f1af3eb9904d39208e24
-
SSDEEP
768:eWpkWucQupPMgVUVqHo6KMSyEp88iSzcBu57bT8YLExK8bi45hlyGkY8lsxizgBi:OiSYL2tLExfbi45hlyGkY8mxizgBXuSs
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4956 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 4956 AcroRd32.exe 4956 AcroRd32.exe 4956 AcroRd32.exe 4956 AcroRd32.exe 4956 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4956 wrote to memory of 424 4956 AcroRd32.exe RdrCEF.exe PID 4956 wrote to memory of 424 4956 AcroRd32.exe RdrCEF.exe PID 4956 wrote to memory of 424 4956 AcroRd32.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 4328 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe PID 424 wrote to memory of 3796 424 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=34FE6194E16A7C651B41240C15CE69E3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=14E615B412DD8B780CB7C54C13262B70 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=14E615B412DD8B780CB7C54C13262B70 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E082FBFB3AAA1020045A9FCD8900ADE --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=947FFF0640CE8E0DEDFAF267CE57A8CE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=947FFF0640CE8E0DEDFAF267CE57A8CE --renderer-client-id=5 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D11F78591B1CF345E3C3E5D9AC4B4BDD --mojo-platform-channel-handle=2772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1A1A9B58736979CD1AEA2289C30D356E --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-132-0x0000000000000000-mapping.dmp
-
memory/944-150-0x0000000000000000-mapping.dmp
-
memory/1732-142-0x0000000000000000-mapping.dmp
-
memory/3796-137-0x0000000000000000-mapping.dmp
-
memory/4328-134-0x0000000000000000-mapping.dmp
-
memory/4704-153-0x0000000000000000-mapping.dmp
-
memory/5056-145-0x0000000000000000-mapping.dmp