edf3dd5cde8f0740f1fe463dc5b40b782936e004ec42539eb01c3cbf454f2b5d

General

Target

611f9596841d2036961f728b5d033920_NeikiAnalytics.pdf
Size

419KB
MD5

611f9596841d2036961f728b5d033920
SHA1

822f47712416cbd1755272910c37f1673e1964f5
SHA256

edf3dd5cde8f0740f1fe463dc5b40b782936e004ec42539eb01c3cbf454f2b5d
SHA512

b8297b0616c53a00b0bf7ef4832543c171f0120b9fc72cd318ba4fcff72e873a99181bc21aafc7394f90e2a2b84f18a3da3fed0b92c5927eb526a08e28fc5cb6
SSDEEP

6144:R2WoDJJqiqNiQ7uSCmWe8ulcBBwX9yhWOwagrcL31Ih/bDh1ROmrqMnnXLEG4Klf:sxqiqAQ7urebulpScO1ROmzIklY0s4

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2428 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2428 AcroRd32.exe
2428 AcroRd32.exe
2428 AcroRd32.exe
2428 AcroRd32.exe

pid	process
2428	AcroRd32.exe

pid	process
2428	AcroRd32.exe
2428	AcroRd32.exe
2428	AcroRd32.exe
2428	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2428 wrote to memory of 2596	2428	AcroRd32.exe	RdrCEF.exe
PID 2428 wrote to memory of 2596	2428	AcroRd32.exe	RdrCEF.exe
PID 2428 wrote to memory of 2596	2428	AcroRd32.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 3268	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 2952	2596	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\611f9596841d2036961f728b5d033920_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3417FBD7A2AA1D3E4D7345CFEFB7076 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3268

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8813D458C338F4DD252AE1E21A52814F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8813D458C338F4DD252AE1E21A52814F --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2BD11D345D331D3DCCDC24C6F08B0240 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2640

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F640829AD38B522E8904B1D418917B5 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8D02B890D188741D35A460295ED2E63 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4928

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A71764FF6AE4FA0A076EED0AA58CFFB9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A71764FF6AE4FA0A076EED0AA58CFFB9 --renderer-client-id=7 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
c6c720a9414582220404675f27724fbc

SHA1
a1b77c2807e2ed413eb3f029901ac0f23f662080

SHA256
6064c6e0792278dac438fa2ba7988a097da294d7bbe29b4a6457a26fe19265a7

SHA512
5625ed6c29322452b0f62ca9c9eb0e4fa9e9e49b9efc8e96685494068f2f5b3217b74bb40834690912a3b314370414eaf0fe5b74089f727968e1310e236ae705

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
5da79f690677a82bea69b66efe6442aa

SHA1
2f5c771d6a48a0b3f02297474f3bc5d441884821

SHA256
cf87751458183e2ef77ba67bba9f1e22d1ca926b4b5b7e6226f1a54a79635873

SHA512
5e248daa379e5db051b7bcc12f197d6bc335496fca4228b85d8e620e449726e059f562a8435f34828ff144d4ba0469e86a62f16cb7dedc5000933df8bbc94188

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads