e7d6f738cd5aedc859b0b3a277ab5afa1b3dc78589500296d7cc754bc0af61f6

General

Target

6a1f91db769461558a0d9332e412e6c0_NeikiAnalytics.pdf
Size

145KB
MD5

6a1f91db769461558a0d9332e412e6c0
SHA1

6bb640bbfa0eb14a261d31f2624f5c8033a6457f
SHA256

e7d6f738cd5aedc859b0b3a277ab5afa1b3dc78589500296d7cc754bc0af61f6
SHA512

7d3aad92f807e902e0a663e9f09dc7482b538ba306a0631d0eb917047f22c8e6660ad7e2f5f1e6afea07559935966efd1b05c3910173f7ff50ee014daebabe2c
SSDEEP

1536:Qq/iKBMK6UpuMFh7QeQU9B/s6Fy0tcHYPPP4knpgwwWZCxbqQrBLxaPhQBVHXXiA:+Kb9Pi0Dz+YX3sP1Ntx5BVHXXoCJqbi

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

228 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

228 AcroRd32.exe
228 AcroRd32.exe
228 AcroRd32.exe
228 AcroRd32.exe

pid	process
228	AcroRd32.exe

pid	process
228	AcroRd32.exe
228	AcroRd32.exe
228	AcroRd32.exe
228	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 228 wrote to memory of 704	228	AcroRd32.exe	RdrCEF.exe
PID 228 wrote to memory of 704	228	AcroRd32.exe	RdrCEF.exe
PID 228 wrote to memory of 704	228	AcroRd32.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 3548	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe
PID 704 wrote to memory of 4604	704	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6a1f91db769461558a0d9332e412e6c0_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C7F4EAC5D3FD033B6B9C96972E93E96 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=185F50065A66169FE7C03FEEE26C7FDB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=185F50065A66169FE7C03FEEE26C7FDB --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=480F45105036082F9966FB2709923B52 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A4E296954EA7DDAD3ECEB756753A691 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2148

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DB067E59B3C3B693559B2305FA825E84 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A2A7C55472CE3018AD54F35A9D732730 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A2A7C55472CE3018AD54F35A9D732730 --renderer-client-id=7 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
044654b10c0904f0635be813dc8bde84

SHA1
15cf01b417a20aa6c3837337f1fe3050a473c7a9

SHA256
2600c98ea450208769a64e8181977ca5be4dee8452f26b7bc26b97fbb85aa859

SHA512
9711b250cfa547877332c095a63536d5751aeab427ce6fd0ec6194052ca9a0c014a5d27b33e529518b6775fd7c167cca53219de1dbcb043b619cca57eccc3638

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7ec4426b7969cb80d8b74330ca8dab1b

SHA1
a9e6ff76f206feb10a25b1d6ae092af88d3fe896

SHA256
f07fa2372ae39199aa1202bdc20af2a2f8659e4a27910f5e81a2acf5786175d4

SHA512
e545748b6028b73429d6fba43adfd7ca6d929c7e738471c26bfbb0fed90712a8399ba65a57eb76f3fd0b2039185b7e089e8407ce586c489d5807d6373f9d90bf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads