Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 00:19
Behavioral task
behavioral1
Sample
1c601fa49b232ed141c4b924123f9f91.pdf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1c601fa49b232ed141c4b924123f9f91.pdf
Resource
win10v2004-20231222-en
General
-
Target
1c601fa49b232ed141c4b924123f9f91.pdf
-
Size
104KB
-
MD5
1c601fa49b232ed141c4b924123f9f91
-
SHA1
49d3d6d16bd2bd1b5b65c719123bc281e5d042de
-
SHA256
3d11b12bc3084b7456579cc3e4d934496a61052d0be4839e9e84b8b8fe27ce68
-
SHA512
6a96bbac9a3c6b0c09b9362ff2428a85bdc95ad40f7f956bd08b2033571cb276005d7d0d7142c2ee4747510e9a40387b627f8bb79ea430de71c828e107ce022b
-
SSDEEP
3072:FPAt62UxiOFs6wZzXxK5a4lzT63VvNVkoG5eQG7/R:itjUxi/fZLg5jfwl/G58
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3500 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe 3500 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3500 wrote to memory of 1492 3500 AcroRd32.exe 91 PID 3500 wrote to memory of 1492 3500 AcroRd32.exe 91 PID 3500 wrote to memory of 1492 3500 AcroRd32.exe 91 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 3852 1492 RdrCEF.exe 93 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92 PID 1492 wrote to memory of 872 1492 RdrCEF.exe 92
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1c601fa49b232ed141c4b924123f9f91.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7AE9418BD1773503DB9FD97336EEFE12 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7AE9418BD1773503DB9FD97336EEFE12 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:13⤵PID:872
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27BC96E74E5921C0E4A5783A0131FF4A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3852
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E824DE265C632B2973017F439A8FFF8A --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4476
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D12B2476814DAC32567899CD96789659 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D12B2476814DAC32567899CD96789659 --renderer-client-id=6 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job /prefetch:13⤵PID:2924
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F6AE9E51BC7FED56F8CCE88D5A8F46E9 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1660
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1057769153574B886F84B1E7C84F115A --mojo-platform-channel-handle=2772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1320
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5064
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD51f389026cbe51713d3a672618aacbc5d
SHA12308c9c4e085a00c77e398d80105583cf9b87340
SHA2560e5f79691b8cde91f92e61a008eeb809217ec0be714c0921dc2e96b8abad2a46
SHA5121b3d3582d63234319d45537fec1979d9ecead3c4be0bdf8a86c6c94f8aecb441e00c4141a16feea8d3bf2feab12ce0d32a3e7113ddcea9f024db31ad5fe85c39
-
Filesize
26KB
MD579e07474c47d8d9ae8c1f63d6cd182dd
SHA1867bb9d839c5fad1846e62618fe98eeafe18335b
SHA25664c63fc33f307dcc983b6ffaaa4bd1432ed81f1843ec9578e7e357fb4fb1f708
SHA5124fa403eb373e61826930e8dae1cc42b47694c45e403112fd85293afb33e19369867724fb47a24182ac98e162150a43a58135185b931976f3f153f8bb3ed8e396