b101a4f06031a0a1bb2a83bf3680ff6dcaa4a1176db2e4a97d7fe0fd380f7b9b

General

Target

DOC 589-NE-268769165.pdf
Size

10KB
MD5

6055193b7d60b070f1c65f4496d106ff
SHA1

20eeca5a0827a2c49daf664599005bb800e23a9b
SHA256

b101a4f06031a0a1bb2a83bf3680ff6dcaa4a1176db2e4a97d7fe0fd380f7b9b
SHA512

eb9ba0f58ebcd8e6f5bbd8d2d164c310e1ec5eaa828956d809810e95b83caf1c4be4fbb2c9bd3691333912e15e1e194a9675cf1e4d1865e5fb3eeead3ae26295
SSDEEP

192:QILIU/fSWUOg8JtUXOokeMvPERrXoK0a2PEg06POTtLQyC5MMw4nAxMdAIRrJ:QILIeSWE0tUX7ke6O4K0Rrp4EyFMw/xC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1668 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1668 AcroRd32.exe
1668 AcroRd32.exe
1668 AcroRd32.exe
1668 AcroRd32.exe

pid	process
1668	AcroRd32.exe

pid	process
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe
1668	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1668 wrote to memory of 1892	1668	AcroRd32.exe	RdrCEF.exe
PID 1668 wrote to memory of 1892	1668	AcroRd32.exe	RdrCEF.exe
PID 1668 wrote to memory of 1892	1668	AcroRd32.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1500	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe
PID 1892 wrote to memory of 1484	1892	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOC 589-NE-268769165.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F29665C2D9B625F11E0D0FAEA043ABDE --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1500

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D75060780514EB110E49FE2BC5411F14 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D75060780514EB110E49FE2BC5411F14 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C15E155277C579317AA55AF496715E3 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2920

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1707ADC764FD0674B2D21B5450ECA227 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CCBD645A4EF286439ACF98DB6D27620B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CCBD645A4EF286439ACF98DB6D27620B --renderer-client-id=6 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D60854377E6B40DE31F44C9B8A0496D --mojo-platform-channel-handle=2544 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ced44303716a9b40e0f75326c3bb2a1a

SHA1
425f8767243ff2795448c91031a2ff55ab4469cf

SHA256
97dc4519afad254d44db3546f4479a36326aa35302e11643ae12feb9df7f2a9c

SHA512
93998bf7aedbdddab4766db7e451c84a088daf9b8fb1b686e12ec25639997627dec344f9d10431e4fe1a3d6a2f5ad68091e74485dd7e66a1e89fc2715efc67ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c5f00ba6d9943109f9b63634041b3fc2

SHA1
d575e574d8f62170629095ae6402e507ae18c372

SHA256
64f2b973cfb9bd052112ee518df0d397701366c0b6dd45981f9aad031c216084

SHA512
587c74886274258fca3379a3a46c4c2f20c0a2bd6198a3d6e1433f51d21ba8c4e66f0de503c2346b2986d3d5702ad215363c793101c6a52cb8759eb405bbc900

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads