Analysis
-
max time kernel
164s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 22:02
Behavioral task
behavioral1
Sample
d7367bc0c8b09be76a8382624e5010bf.pdf
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
d7367bc0c8b09be76a8382624e5010bf.pdf
Resource
win10v2004-20240226-en
General
-
Target
d7367bc0c8b09be76a8382624e5010bf.pdf
-
Size
99KB
-
MD5
d7367bc0c8b09be76a8382624e5010bf
-
SHA1
b5c8d0ba8198a6227a41f6ee79cf95e694d4b514
-
SHA256
c6c8b29b5c21284f9c556528c770574f66ecbf67274f3bb34bb20355f38752dd
-
SHA512
1acc9f5bf9098dc4b1c201af0d7df60c746c76a9cc88c77764bb2432edcc64221e029df833dbba6ed324d5c54a2ebd2c863d386829340be8f18042479390468b
-
SSDEEP
3072:9CdXhVvvKopii0zi84+d7TkByCzKZ7e+9b:QNhVqoPcv7QiZ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4784 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe 4784 AcroRd32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4784 wrote to memory of 1760 4784 AcroRd32.exe 105 PID 4784 wrote to memory of 1760 4784 AcroRd32.exe 105 PID 4784 wrote to memory of 1760 4784 AcroRd32.exe 105 PID 4784 wrote to memory of 3684 4784 AcroRd32.exe 109 PID 4784 wrote to memory of 3684 4784 AcroRd32.exe 109 PID 4784 wrote to memory of 3684 4784 AcroRd32.exe 109 PID 4784 wrote to memory of 1820 4784 AcroRd32.exe 110 PID 4784 wrote to memory of 1820 4784 AcroRd32.exe 110 PID 4784 wrote to memory of 1820 4784 AcroRd32.exe 110 PID 4784 wrote to memory of 3184 4784 AcroRd32.exe 113 PID 4784 wrote to memory of 3184 4784 AcroRd32.exe 113 PID 4784 wrote to memory of 3184 4784 AcroRd32.exe 113 PID 4784 wrote to memory of 4104 4784 AcroRd32.exe 114 PID 4784 wrote to memory of 4104 4784 AcroRd32.exe 114 PID 4784 wrote to memory of 4104 4784 AcroRd32.exe 114 PID 4784 wrote to memory of 4188 4784 AcroRd32.exe 115 PID 4784 wrote to memory of 4188 4784 AcroRd32.exe 115 PID 4784 wrote to memory of 4188 4784 AcroRd32.exe 115
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d7367bc0c8b09be76a8382624e5010bf.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:1760
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:3684
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:1820
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:3184
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:4104
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5e0ce5289ab057d3144a3da4d7d65f0e9
SHA1cd0e30a81cb3407326c0763dda18042b85b32161
SHA256391d7de5537f55c6751e7a27e05d4a95109ae2c0c3c8ee63663df637900476a2
SHA512749618da3d266406047344aa987799b5159faefd4a300fe0ad6e5d6fe755cb7ead84f80685c44a9eaec5eb3f7b9a19fc3bbc792cd45c16c337c0acf850b855d2