Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 17:16
Behavioral task
behavioral2
Sample
[email protected] Salary & Benefits.pdf
Resource
win10v2004-20241007-en
General
-
Target
[email protected] Salary & Benefits.pdf
-
Size
40KB
-
MD5
619ef790b532e9b8e9100d7a01dc3a3c
-
SHA1
f0f31376c6c30f25a88d1f92f0a1b11e4acf08a5
-
SHA256
15ac152bab06e685c06a82a6a593a9b54fa7d02c8694fa4b2c749ed41aaff0d0
-
SHA512
e9aad1a785c944b798ad3cd7749a590e60a3beccba5e0aa68db3338714d06a68c13c48f7885c3b4593bb97086ac27b9342fe8e4328c94f91cd6df5651cb18cdf
-
SSDEEP
768:tn5psVFT/TczuJbvr3VveLhebxQCBYEMr4HJJ5iKZU02Tq66kQSwzDB:tUzTrc6Jbvr3VveVe7CTgJ5bUZTq66kk
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4300 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe 4300 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4488 4300 AcroRd32.exe 89 PID 4300 wrote to memory of 4488 4300 AcroRd32.exe 89 PID 4300 wrote to memory of 4488 4300 AcroRd32.exe 89 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4924 4488 RdrCEF.exe 92 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94 PID 4488 wrote to memory of 4544 4488 RdrCEF.exe 94
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\[email protected] Salary & Benefits.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9BF480BD7FA326818C9A012497708708 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:4924
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6EE2BB55D5533BAE83E7AA22AA4F41FC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6EE2BB55D5533BAE83E7AA22AA4F41FC --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C30B48C873870CE351785E3FD0022202 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2396
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3969B6B75FBDCF17A14BFEDAB1DE182D --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=334D89B0C93C3F5BD8BAC32B46CD39AB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=334D89B0C93C3F5BD8BAC32B46CD39AB --renderer-client-id=6 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AEFBF08A6D135B9566A165479A4AED83 --mojo-platform-channel-handle=2816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD58e0927d9189e73a6b5375b17713ba737
SHA1f1459922dafab8f3cdda4f04da0aab3297de0078
SHA256b8f38ee6877e6284a679f9224355247638e34d3540e95da7b45d9a010966e1ec
SHA512c7d1f6e705a1ac430e8d9452960fe7f66f6eb86153e0af7ab763998022473aa011d2f54b5f31748af433c120db131db14325162150df05bc046898ed20b05f2f
-
Filesize
56KB
MD5c26ed30e7d5ab440480838636efc41db
SHA1c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591
SHA2566a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef
SHA51296cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5