3c2ef7401babd7fe4a621f8dde5ac228e91c89eb08cca67f082d5148ebc4585e

General

Target

1784.pdf
Size

104KB
MD5

6435ed31a9784db84e33855a578a1a0a
SHA1

d08ae3de542df7234f51cb63c1f89feeb7493c12
SHA256

3c2ef7401babd7fe4a621f8dde5ac228e91c89eb08cca67f082d5148ebc4585e
SHA512

5848af042441c39bfd0a7b78bb5971eaec673503b75f245553193419c6ff84750c9279a94cfb49b44a3b4bc365102fa827ef3a4f07ad82bfb2f37cd7fae611fc
SSDEEP

1536:+Pw9pvY9yOgLKLgzGywRwBcyTRMYELsvim2PLlUx7KH5jeS9pKYxdHfOLbFEy+Io:+Pwj4yO/gPnvOlUCKYxBsbk7

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4464 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4464 AcroRd32.exe
4464 AcroRd32.exe
4464 AcroRd32.exe
4464 AcroRd32.exe

pid	process
4464	AcroRd32.exe

pid	process
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe
4464	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4464 wrote to memory of 208	4464	AcroRd32.exe	RdrCEF.exe
PID 4464 wrote to memory of 208	4464	AcroRd32.exe	RdrCEF.exe
PID 4464 wrote to memory of 208	4464	AcroRd32.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 384	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe
PID 208 wrote to memory of 4496	208	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1784.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B17D82686E402B92FEBF7DBB8F9137BD --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:384

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=32FD489FE40593A4F13D2C5BCF9F9564 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=32FD489FE40593A4F13D2C5BCF9F9564 --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4496

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9023D3EBFD24B22022015C51CBFB73BC --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=88F50A898F6252C8FAEA5A8CCC67D8FB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=88F50A898F6252C8FAEA5A8CCC67D8FB --renderer-client-id=5 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D27254E095C808561CA617665975C2D --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2256

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=11AABC59F63D3B852AA03770F3457F38 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
df3cafc7fcbb4c355cf192f820d02764

SHA1
78af28f749d6ab4f2d558439ab58edcf0916ec89

SHA256
0631d2bc0f54faa554fa65e1c734b55eb49b97f3c9ab4f94791298bd9c0c7f04

SHA512
ceda45dc91bbf2a12627046ae7e8c29a08cc83fa80777e75674ec4139cc3353ade2d1f0ffdbe660c3d8aa8e3a7e70d2e5fe8135569f398702abd46eceb9c3b66

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
29722fcbb975d932537ae25cdc4255f1

SHA1
022241de07b07efb05f017775e8a6be134176ce4

SHA256
167843e38521b3f81bb0c253016ee99d674cd9904efb626dc9595084634ca253

SHA512
c98208cefa113b64bf8dcba4be79574e88266adfba4b59da1d5ef833d5945ca131631b2089cdc7793b7481f3138408b712470ea36fb957a7b0fe0741a90031b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads