53b40746ed73e3068e492fdb610e6f7005940df11232a5532a50832ff0485ba9

General

Target

701b73285ddb57942fdad66eb31b1a00_NeikiAnalytics.pdf
Size

361KB
MD5

701b73285ddb57942fdad66eb31b1a00
SHA1

f4dfd6b54571002619de4d902e6231cb6dc76c41
SHA256

53b40746ed73e3068e492fdb610e6f7005940df11232a5532a50832ff0485ba9
SHA512

1c72e1df7257aa643e80db67b8fed913c7eddba4634dfee455c08d67cbcb222eda243c643aaa3e5d729ec883eb88db17d49330b8950a3f7cb5a4b97547dc2a64
SSDEEP

6144:Pdb4aEz/Cf2orpn87X2sLtpH2Mn2nTQ0fWSnpQMg0tPxt+EN7m9:Ppo/P8xIX9LtZ54pwQPVY9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1420 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1420 AcroRd32.exe
1420 AcroRd32.exe
1420 AcroRd32.exe
1420 AcroRd32.exe

pid	process
1420	AcroRd32.exe

pid	process
1420	AcroRd32.exe
1420	AcroRd32.exe
1420	AcroRd32.exe
1420	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1420 wrote to memory of 3512	1420	AcroRd32.exe	RdrCEF.exe
PID 1420 wrote to memory of 3512	1420	AcroRd32.exe	RdrCEF.exe
PID 1420 wrote to memory of 3512	1420	AcroRd32.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 4360	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe
PID 3512 wrote to memory of 3280	3512	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\701b73285ddb57942fdad66eb31b1a00_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=547900BF0EB60BEFF41508FB4F29CFA1 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A143A202B8AB12DE895E2E1A17115651 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A143A202B8AB12DE895E2E1A17115651 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3280

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=98CE535F452ECAAA3AD88BFE5D3E4F31 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A9FBFE6236C071773493800711D63A7D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A9FBFE6236C071773493800711D63A7D --renderer-client-id=5 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2500

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FEE2294280B694DC0B51FF5AA161583D --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C6140662D3A665121B109ABD5719102 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
65406c0d16ca37ce44ea0ee108d7f3e6

SHA1
16bf923f1bed2ac90baf78efd28c434233776944

SHA256
dde4a6c703d7af35f047c3a8eb96298e951647bfc72bef589cdd96cd7d70c6d6

SHA512
f5c094968effd8abab3149cbb311117f036692d2a600e03fb70008e57292a34aa023e5c1361b0cbd5bde0a558c33545f8be03676daf4d244c1023e52960646a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b77b8323ba5ed7df68ffb1d8f8a03061

SHA1
3aff332a16aca2bf292ff73255a2c780d76661a3

SHA256
2d2000c1bc82e34d82f93e0d33f476e7ff4c280503c01e0c79cd6897e84a5e38

SHA512
b1ae61a0d26d7d665d78c6d1fef89a63431ecbbaeca363a8745b3dc51b6f0d7921f219f27431e21a5810330054491c03ee5c581d9a4770ee679e17e629a13a3c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads