IOC Report
85500000571-1.pdf

Files

File Path

Type

Category

Malicious

85500000571-1.pdf

PDF document, version 1.4, 1 pages

initial sample

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

data

modified

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF4ca026.TMP (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

data

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241030132452Z-200.bmp

PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

data

dropped

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\85500000571-1.pdf"

Details

Is windows:	true
Is dropped:	false
PID:	3428
Target ID:	0
Parent PID:	1244
Name:	AcroRd32.exe
Class:	acrobat
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\85500000571-1.pdf"
Size:	2525680
MD5:	2F8D93826B8CBF9290BC57535C7A6817
Time:	09:24:45
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1140000
Modulesize:	2539520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

Details

Is windows:	true
Is dropped:	false
PID:	3608
Target ID:	2
Parent PID:	3428
Name:	RdrCEF.exe
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Size:	9805808
MD5:	326A645391A97C760B60C558A35BB068
Time:	09:24:50
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	9830400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

IPs

IP

Domain

Country

Malicious

192.168.2.255

unknown

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

aFS

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

tDIText

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

tFileName

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

tFileSource

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

sFileAncestors

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

sDI

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

sDate

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

uFileSize

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles\c1

uPageCount

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings