Overview
overview
5Static
static
4External ...18.eml
windows7-x64
5External ...18.eml
windows10-2004-x64
3FZDVFGZE.jpg
windows7-x64
3FZDVFGZE.jpg
windows10-2004-x64
3RingCentra...il.pdf
windows7-x64
1RingCentra...il.pdf
windows10-2004-x64
1email-html-2.html
windows7-x64
1email-html-2.html
windows10-2004-x64
1email-plain-1.txt
windows7-x64
1email-plain-1.txt
windows10-2004-x64
1Analysis
-
max time kernel
111s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 11:31
Behavioral task
behavioral1
Sample
External A New Audio VN available from Matthew _2112779118.eml
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
External A New Audio VN available from Matthew _2112779118.eml
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
FZDVFGZE.jpg
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
FZDVFGZE.jpg
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
RingCentral_e-Voicemail.pdf
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
RingCentral_e-Voicemail.pdf
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
email-html-2.html
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
email-html-2.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
email-plain-1.txt
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
email-plain-1.txt
Resource
win10v2004-20240611-en
General
-
Target
RingCentral_e-Voicemail.pdf
-
Size
72KB
-
MD5
17f7d8c5859e45b196a0c6728a3e45cf
-
SHA1
4c6cc2c9c0762494922ce0da4884953a861cee50
-
SHA256
0a99dcb4d6465d22a857396d0de737b2780a900bcea8992386b801cf2076e0ef
-
SHA512
b1ff36bca94c7a9aef2473db5890198b6effd06b91b19b5eec7cc21fff1ac0e3ec2925ff7fdbd762fee1186412faaabd03ed00a1b92b3a7992d27b2ed18c0770
-
SSDEEP
1536:kONCqgprCVh2yoWbv2wt9VUJsi6lgDxQIoBY2jKSBcQeP:kOcLpiRn2wCJGSNpoBYKK6cNP
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4196 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 4196 AcroRd32.exe 4196 AcroRd32.exe 4196 AcroRd32.exe 4196 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4196 wrote to memory of 4788 4196 AcroRd32.exe RdrCEF.exe PID 4196 wrote to memory of 4788 4196 AcroRd32.exe RdrCEF.exe PID 4196 wrote to memory of 4788 4196 AcroRd32.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 4944 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe PID 4788 wrote to memory of 3956 4788 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RingCentral_e-Voicemail.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5B13DE5B94C0DC02BCA1DF983B9BD7A3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4944
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=04C5F94DB57871EDAAB9F06F494C5BE8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=04C5F94DB57871EDAAB9F06F494C5BE8 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵PID:3956
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDB544E8AF49F7170B000CFAC54BEFFC --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:5004
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7200D83889B395AB2311E574E0D4A8D7 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1408
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D630EBF4BC9A5368441995048FF0BB4 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2148
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DCB22D1AEDC16CF257EBB7617C9584CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DCB22D1AEDC16CF257EBB7617C9584CA --renderer-client-id=7 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job /prefetch:13⤵PID:3300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5f3552d980311600352957c3982218a12
SHA16c6963ad25fa1a57febba04881c6a02d0d0e924c
SHA256f77cab4c8f71ad869634ca61f88806a99203ee716212f43d42794cf1bb8ab756
SHA512e1abd02080b56fd7fade41e39484eb432d9e27abf2585da69d86003266053d27a3a315f228ea9b753e377f53ac5616da593c950a851ca7c679561ecffbccc802