42b5d414c5ff65e662998a92cf54179df694e5ee88793531fee4ee32e70d41fb

General

Target

AcroRdrDCx642400320112_en_US.exe
Size

443.6MB
MD5

5c5dd077a31f23873dbe25ab6ef34933
SHA1

0ed71a3efa6df98f5cc6bba9fa4f7c80d5d78c2f
SHA256

42b5d414c5ff65e662998a92cf54179df694e5ee88793531fee4ee32e70d41fb
SHA512

e5b60089ade6c6acc1d147c15357e2b429b1fa19354fc757df0ff85b46435b79046e53b8b24e79d163743fe3f93229687d844b527ae7c8ad3c63732fa83f0acb
SSDEEP

6291456:IzwRUHohZ0VHvxI0/r8tSzMXPhHm9sson9HFMAYFbL3/sbCQaML56XLTIzY3ywu8:WohZTAI/J9JM33/sbza9XfAY3y6wEyt+

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\abcpy.ini	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938\installer.bin	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938\installer.bin	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\10874.txt	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Core.cab	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Core.cab	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroRdrDCx64Upd2400320112.msp	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938\31092.txt	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.ini	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\abcpy.ini	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroRdrDCx64Upd2400320112.msp	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938\config.bin	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938\config.bin	AcroRdrDCx642400320112_en_US.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroPro.msi	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroPro.msi	AcroRdrDCx642400320112_en_US.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.ini	AcroRdrDCx642400320112_en_US.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	setup.exe
1192	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2980	AcroRdrDCx642400320112_en_US.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRdrDCx642400320112_en_US.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2980	AcroRdrDCx642400320112_en_US.exe
2980	AcroRdrDCx642400320112_en_US.exe
2980	AcroRdrDCx642400320112_en_US.exe
2808	setup.exe
2808	setup.exe
2808	setup.exe
2808	setup.exe
2808	setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2808	2980	AcroRdrDCx642400320112_en_US.exe	31
PID 2980 wrote to memory of 2808	2980	AcroRdrDCx642400320112_en_US.exe	31
PID 2980 wrote to memory of 2808	2980	AcroRdrDCx642400320112_en_US.exe	31
PID 2980 wrote to memory of 2808	2980	AcroRdrDCx642400320112_en_US.exe	31

C:\Users\Admin\AppData\Local\Temp\AcroRdrDCx642400320112_en_US.exe
"C:\Users\Admin\AppData\Local\Temp\AcroRdrDCx642400320112_en_US.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
  "C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe" /msi DISABLE_CACHE=1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\Temp\26938\config.bin

Filesize
3KB

MD5
c28672dec79bafe8e8f1ffbb5323fd83

SHA1
68730beceadce609f731bf7c18e77aaff220e29a

SHA256
dbe36a4b065a8c5aa52b066a837c06044d373d7f81d0ee7c2e313de460bde3e5

SHA512
8cb3b16d431cf7776624289df3fd1c6bf86ab4587a1f4c2dab1dd207e66a69520390968d3f2f37598e918160b57fb87762279da0a40670bace06f6be86f40677

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.ini

Filesize
269B

MD5
83361d9265a137aad732af43c5f23ce1

SHA1
73e0e6c72aebd3ced38d93a3c0200edcf3d5445e

SHA256
e22fdac7c9d9fcd4aa8186731aea26ad5e47228c48116924ad1d106f6a17a5ef

SHA512
215c4f3ad7fc74eb21eefd75db280d16568f8adabefe87d5eef117267d0d80e2a721d66f59bada183d6a538b4d73cb80576dbcf86987ee057faf90fda5b3ddd4

Download Submit
\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Filesize
636KB

MD5
228037b00acb7cf3c059d51cf0e0728d

SHA1
14590e917d68375d8e4f33d6a984ad82be0bbcf9

SHA256
8a9f151e112fafd0fdba94941b1926273f9c9cd9700217765f0064677f5d417b

SHA512
c3042b22cc77db81b97685a66eacd25872b39195dc3c34f8695b2c16646a526c55718a4298df4043dda250555a04a6c53c4add5796a3430f64d782f20750f9ac

Download Submit

Analysis

Sharing