68f0fcf23130beb1f16a725f4da2c383cbb08cdde2a971217d955bacfd8eb10a

General

Target

d8a0a1f924a6c5f74e8a0c18f6f96e70_NeikiAnalytics.pdf
Size

609KB
MD5

d8a0a1f924a6c5f74e8a0c18f6f96e70
SHA1

7fc321da067fc3296d4ff504435f4539cc98467f
SHA256

68f0fcf23130beb1f16a725f4da2c383cbb08cdde2a971217d955bacfd8eb10a
SHA512

67757ee06f0462f820b472b5d7929672e6b8ef6705afd0869204211e7f9eaf1da32f9afe477d95c8485c926c64aaba130f7830e8cae13af3e3703769ae755400
SSDEEP

12288:8G8N/QFbs4rijFKP7BlODrACuCcNyTE2DV:sQ+4rfNDCuCBdV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1836 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

1836 AcroRd32.exe
1836 AcroRd32.exe
1836 AcroRd32.exe
1836 AcroRd32.exe
1836 AcroRd32.exe

pid	process
1836	AcroRd32.exe

pid	process
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1836 wrote to memory of 1584	1836	AcroRd32.exe	RdrCEF.exe
PID 1836 wrote to memory of 1584	1836	AcroRd32.exe	RdrCEF.exe
PID 1836 wrote to memory of 1584	1836	AcroRd32.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 524	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe
PID 1584 wrote to memory of 4896	1584	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d8a0a1f924a6c5f74e8a0c18f6f96e70_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE988F0E0C31C0F119723C03078F4F5E --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EDE8F1C76059F884215787E780F3B972 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EDE8F1C76059F884215787E780F3B972 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FFD7649C895CD5DB71CC92427E0A7DBB --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1220

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=273CB8313164685F151F49CCADA3A9B2 --mojo-platform-channel-handle=1936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4260

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B248296FF835715EFCA417F39558E3CA --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6A5205B057E9EAC31F2793F5B7B3AF13 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6A5205B057E9EAC31F2793F5B7B3AF13 --renderer-client-id=7 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
c8c590eb89c32eaf09184d3c48aedcc7

SHA1
34e4be76c323263d508916d66c842dfa891f99c9

SHA256
61a574468e5c6a6af01fbcc98c0de11c5a78bf38affee6e5e70b3245fb14b3be

SHA512
6ea13331b928cde4ce3430c31664dc0675bbb5fa2a787adcd1b51e94f01a38cd1263b6f2f25bceff93225c14f7454a9cb3124d37940e4d8748733f452899d88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
7e938d909534f48c7cd194f012efb25b

SHA1
cf589d3a2ebcdae9b91704bde6bf5c682a8acc54

SHA256
c1ea7ce1752ae0105e27c80562669f0d02ab404e9ee7d6598ac8a04191c0aa01

SHA512
43e0711a23ea4e9292c09d3936c30418bbbd476d90957d9c345c9ee22b18f37321136d4d1308ca931515164e388931bb2ea88e75004f88758909cd1fa47caeaf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads