2557728e5069ab02aeff27314c7de1bbd670a079b1a25c4de2a30d652ba39da6

General

Target

823664f6526db5b121ddbcc2d0f767da.pdf
Size

184KB
MD5

90d8d0073913d38fa04b3979eefd945a
SHA1

25525f861792ba68f062bc0f570a86e10c2f1a96
SHA256

2557728e5069ab02aeff27314c7de1bbd670a079b1a25c4de2a30d652ba39da6
SHA512

f2b7393e064c77339ed1e6b06730c6409a1d7cdfdf0bb70c3599acaf6318c245f78b152bd60f948a5f7b0c74e4ad8cde08984f25aaa1874d880a72b84affab55
SSDEEP

3072:hfB0C2gxMgJJIvkLU2Ygui+7l2EvGeOsCfgjSFu2xS2dZzl01JKYE:UYdPCkJYgB0M+5CuJKzMHE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe
312	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

312 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

312 AcroRd32.exe
312 AcroRd32.exe
312 AcroRd32.exe
312 AcroRd32.exe
312 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 312 wrote to memory of 2764	312	AcroRd32.exe	RdrCEF.exe
PID 312 wrote to memory of 2764	312	AcroRd32.exe	RdrCEF.exe
PID 312 wrote to memory of 2764	312	AcroRd32.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2156	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe
PID 2764 wrote to memory of 2276	2764	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\823664f6526db5b121ddbcc2d0f767da.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:312
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DB365BB3ADAB3C6B6304F61E293B3E62 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2156
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DEE7E242483A7F9D359B571743E0C481 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DEE7E242483A7F9D359B571743E0C481 --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2276
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=729917FCFA9976FFD8D70853AE755897 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=729917FCFA9976FFD8D70853AE755897 --renderer-client-id=4 --mojo-platform-channel-handle=2228 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A12486FB3365F653A011398525DE8DE --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3416
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=70033911451884F0549ABFB2EC846472 --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09DF404A62977B27F308D095A0E18CA8 --mojo-platform-channel-handle=2580 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0b2bb0495a667fb321b2a882e50374c6

SHA1
a016613087f08376463d243a47fe6874e59f7d69

SHA256
dc2dbbcd80f256546c307688fcab2aa9372e9e90ff6c43be780da882c5db7371

SHA512
4bef1c57aa6026c94d30a621f4ade7a4e965848de0cddd70232c928781aee6f8620e08dac5dc5cb1568f616db15262d654fbc91b37c39f99b303356aa470b98b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
24KB

MD5
7beefcfbd56194ee6079315c1ef29165

SHA1
a43ed18dd4ea6e1c3d25ed21a707df4bf77b1588

SHA256
5edf5e536c246a3dfaaddc66d018f4df75f0db1b6689fe64a5f39dda0f443c22

SHA512
df02362706819c18fdafe790bbc4da4718434feb75ed2a7f0d4483a4b38592b5777a9a7afa9bd2d87f2c37016e87c7fc4b4ceb9ffa21f5800eebc4ff7c457856

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
32KB

MD5
668cc2cc0396192e0c673c1764a29560

SHA1
b1f8dff7b9960d24e637acf93c22cc4d658be9c9

SHA256
36e2649b2f3131f6f2cc18b2860c99d1d13dd643da1ce019307fa5ff245fa943

SHA512
94b0639e2d77a08997b98792693d37e82b0831bd2228d9b617ec1106cb551ce8ae3f0441d4487c00ecb24ab0dcb81b2c05ade2012714974ad67ebb9e0dcf1f60

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads