4b970d6f15837348ee14c9c8da0df05fba63882dd3921e1e9d2748a2f98b34e1

General

Target

6c1423373fcbb1f16e2d8735b8c79ad0_NeikiAnalytics.pdf
Size

34KB
MD5

6c1423373fcbb1f16e2d8735b8c79ad0
SHA1

11e069d8358a44d4641465e698f3e2c6ee25c760
SHA256

4b970d6f15837348ee14c9c8da0df05fba63882dd3921e1e9d2748a2f98b34e1
SHA512

868d9fcf27c5edb496c613168b5696ea94d71e2cee9744f1e897901b6142037cf5f82eb8fdfdd242e077e2969da4432f4578667cdea901aaddb6d759fd8472d7
SSDEEP

384:PMbRvKBhRuhRplLFsmwDx900cu71ez7Y2yrRlOD4sxUCUS6FBr0DrMEo3fTvmqGm:U5OAbFsv5cu5ALaPObWprOXo7mq09Fk

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2872 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2872 AcroRd32.exe
2872 AcroRd32.exe
2872 AcroRd32.exe
2872 AcroRd32.exe

pid	process
2872	AcroRd32.exe

pid	process
2872	AcroRd32.exe
2872	AcroRd32.exe
2872	AcroRd32.exe
2872	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2872 wrote to memory of 4396	2872	AcroRd32.exe	RdrCEF.exe
PID 2872 wrote to memory of 4396	2872	AcroRd32.exe	RdrCEF.exe
PID 2872 wrote to memory of 4396	2872	AcroRd32.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 1344	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4880	4396	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6c1423373fcbb1f16e2d8735b8c79ad0_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C2C5F8A6E6F26485DB1722CB996B476 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1344

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0C7504B9F3A7AC9707EF46050EC0B9D3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0C7504B9F3A7AC9707EF46050EC0B9D3 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4880

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=555746394A7074BF0D74D339223D114E --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3703B3D50C01386FB328979C31E33291 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1632E00DB71EBC389FA3712CB0029CC8 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C10E75A4F7C6426DDB9E385C4B81E105 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C10E75A4F7C6426DDB9E385C4B81E105 --renderer-client-id=7 --mojo-platform-channel-handle=2484 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7bdc6ace3e246209f422e11561404fbc

SHA1
136c8a5feb64d67f53ad4e2145f85bf583d3c8b1

SHA256
594b76d718c7bce8240df27c85f001cf2824deff0e19c7f90af312701db54439

SHA512
76373ba65e75149ce989204057d54fad098bcc065581f65cb88a04e15e423f9740195ab33b7a207591ec32b63a3e478d0ed4e0c0c179c4f74cb5c55546eec7a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
95752d9f93192ddc3f11d3d2c581d963

SHA1
5a76136b41be619b93a972a6c1849d744fa4f871

SHA256
f6b29329678d52b2c63507ce4d26ccca2c563a721da3d9440ee374d7dcb920e5

SHA512
8892ef3049cd4e8d2ec45498edab977252e7c46c09228211286d30eb577a71163ea2f3a500ef8f57691aaf11ad312a4b3d767b7ed3b256d8a11a4fefb60d4df9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads