9d945267828a2d05e99a2b2ef9db3a0ddba0fc11c9b8f3f9fe20fb0403b98a6f

General

Target

Acrobat Pro DC 2020 Portable.exe
Size

1023.0MB
MD5

1219e666d016c6b5dd3e6d660639d0d4
SHA1

b5555bdbd33e75cf0592a7b7a276265f170c1b82
SHA256

1fecd5e4a5b2bbea1ab06258ae4669e818b65aed08dd3d2544aa5a7df540685f
SHA512

e2a078e96add1bdd095a6dcd2090ccb2fe1092b7c011504e00fb4a43f77d4d4a25050ce44b370a6ff650976d08dcd03d03bc98bb083fe0eb6e7c351cead23188
SSDEEP

12582912:4qQyBhyIHz/E2bbFYbgqWFWBbfpLvDUn4StgdXw/KVo0S/hhrhH8mP:HQyBoKMYKfMPhcQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

612 WerFault.exe
1516 WerFault.exe
Loads dropped DLL 2 IoCs

Processes:

Acrobat Pro DC 2020 Portable.exeWerFault.exe

pid process

944 Acrobat Pro DC 2020 Portable.exe
612 WerFault.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

WerFault.exe

pid process

612 WerFault.exe

pid	process
612	WerFault.exe
1516	WerFault.exe

pid	process
944	Acrobat Pro DC 2020 Portable.exe
612	WerFault.exe

pid	process
612	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Acrobat Pro DC 2020 Portable.exeWerFault.exe

description	pid	process	target process
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 944 wrote to memory of 612	944	Acrobat Pro DC 2020 Portable.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe
PID 612 wrote to memory of 1516	612	WerFault.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Acrobat Pro DC 2020 Portable.exe
"C:\Users\Admin\AppData\Local\Temp\Acrobat Pro DC 2020 Portable.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe
"C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe
"C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
3⤵
- Executes dropped EXE
PID:1516

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe
Filesize
28KB

MD5
a1507a246979ab1641f973e13481df2b

SHA1
bc9aac4b15668460920ae9f4844dc1233a844d4d

SHA256
590e0376303b377939f1738db45a1ab73390c50f51f7e6b8823282bff10a8a12

SHA512
e7e448f54e1a6c022f256f2ad791606ced46775f46237c464706aadf3323f799f8867eba7e9e20096fccc17d9f72acba65e1d5076fb2ff55f6c4b255f5950a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe
Filesize
28KB

MD5
a1507a246979ab1641f973e13481df2b

SHA1
bc9aac4b15668460920ae9f4844dc1233a844d4d

SHA256
590e0376303b377939f1738db45a1ab73390c50f51f7e6b8823282bff10a8a12

SHA512
e7e448f54e1a6c022f256f2ad791606ced46775f46237c464706aadf3323f799f8867eba7e9e20096fccc17d9f72acba65e1d5076fb2ff55f6c4b255f5950a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\xsandbox.bin
Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe
Filesize
28KB

MD5
a1507a246979ab1641f973e13481df2b

SHA1
bc9aac4b15668460920ae9f4844dc1233a844d4d

SHA256
590e0376303b377939f1738db45a1ab73390c50f51f7e6b8823282bff10a8a12

SHA512
e7e448f54e1a6c022f256f2ad791606ced46775f46237c464706aadf3323f799f8867eba7e9e20096fccc17d9f72acba65e1d5076fb2ff55f6c4b255f5950a4e

Download Submit
\Users\Admin\AppData\Local\Temp\Sandbox\Adobe Acrobat DC\local\stubexe\0x713FA8B4D72CB81A\WerFault.exe
Filesize
28KB

MD5
a1507a246979ab1641f973e13481df2b

SHA1
bc9aac4b15668460920ae9f4844dc1233a844d4d

SHA256
590e0376303b377939f1738db45a1ab73390c50f51f7e6b8823282bff10a8a12

SHA512
e7e448f54e1a6c022f256f2ad791606ced46775f46237c464706aadf3323f799f8867eba7e9e20096fccc17d9f72acba65e1d5076fb2ff55f6c4b255f5950a4e

Download Submit
memory/612-91-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-93-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/612-127-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-90-0x0000000054CC0000-0x0000000054CC1000-memory.dmp

Filesize
4KB

Download
memory/612-92-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/612-88-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-86-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-85-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-84-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-83-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-79-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-80-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-81-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/612-82-0x0000000001BA0000-0x0000000002147000-memory.dmp

Filesize
5.7MB

Download
memory/944-65-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-68-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-61-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-70-0x0000000054CC0000-0x0000000054CC1000-memory.dmp

Filesize
4KB

Download
memory/944-60-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-57-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-62-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-67-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/944-69-0x0000000054CC0000-0x0000000054CC1000-memory.dmp

Filesize
4KB

Download
memory/944-59-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-58-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-63-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/944-126-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/944-125-0x0000000000E60000-0x0000000001407000-memory.dmp

Filesize
5.7MB

Download
memory/1516-124-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1516-123-0x0000000001ED0000-0x0000000002477000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads