Analysis
-
max time kernel
87s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2022 20:43
Static task
static1
Behavioral task
behavioral1
Sample
tiravotodojair_VF_2909.cleaned.pdf
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tiravotodojair_VF_2909.cleaned.pdf
Resource
win10v2004-20220901-en
General
-
Target
tiravotodojair_VF_2909.cleaned.pdf
-
Size
6.0MB
-
MD5
3d75b11ffb1c3021efedd2905c231288
-
SHA1
bbf0d5a64479ddd2509a2709a3103a8c9e8e37f6
-
SHA256
3736236878d2d95c7e96c154196e92117805e15397ad85c231c4461eee513df2
-
SHA512
1d560377a234744a33792b819671d051d56071de083113dfe3e8aae72cddd00db8ef2766f993a58e908887eec0154c3b6e557fcaadd5f7d3a8cf7fa10207d1b7
-
SSDEEP
98304:PSsIK625UGA4cfuwMD2BH4YKTw3XSKnowa6bZbUy/y5s7bHcL8VXX6iMKAXLAK9R:JS2DgLsTwHDbwOYL8EiMvXLbNbyi
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4596 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe 4596 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 5088 4596 AcroRd32.exe 81 PID 4596 wrote to memory of 5088 4596 AcroRd32.exe 81 PID 4596 wrote to memory of 5088 4596 AcroRd32.exe 81 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 5112 5088 RdrCEF.exe 83 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84 PID 5088 wrote to memory of 32 5088 RdrCEF.exe 84
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tiravotodojair_VF_2909.cleaned.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=117401B2A77A2F17D50129F78DDDB2ED --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:5112
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B9010A93D0119D1792E6B23845927E02 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B9010A93D0119D1792E6B23845927E02 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:13⤵PID:32
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=82571C71833A584FF9DF3792AD1096B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=82571C71833A584FF9DF3792AD1096B9 --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:13⤵PID:4676
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=086C968B4E66E01297F3C2022E73CD0E --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4708
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0DB2ECA82BDE9B67A57C837CEF426E0C --mojo-platform-channel-handle=1864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3768
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E03235C86FADAFF50CE10E64D75393F2 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3444
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4296