Reversing_con_IDA_Pro_Desde_Cero.pdf
This report is generated from a file or URL submitted to this webservice on March 4th 2019 17:05:04 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 2
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
2/67 reputation engines marked "https://mega.nz" as malicious (2% detection rate)
2/67 reputation engines marked "https://mega.nz/" as malicious (2% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Found a potential E-Mail address in binary/memory
- details
- Pattern match: "1g@j.x"
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Informative 12
-
Exploit/Shellcode
-
Possible heap spraying attempt detected
- details
- "RdrCEF.exe" issued more than 3000 memory allocations
- source
- API Call
- relevance
- 10/10
-
Possible heap spraying attempt detected
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/37 Antivirus vendors marked sample as malicious (0% detection rate)
0/57 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"Local\Acrobat Instance Mutex"
"DBWinMutex"
"com.adobe.acrobat.rna.RdrCefBrowserLock.DC"
"\Sessions\1\BaseNamedObjects\com.adobe.acrobat.rna.RdrCefBrowserLock.DC" - source
- Created Mutant
- relevance
- 3/10
-
PDF file has an embedded URL
- details
- "https://mega.nz/#F!GNBWzQrQ!RuD9p_PBIMwdqyQKKRooww" (Based on: "0e529d597b8e76a09a436d269fc8fbcd4a8f457a011f3469dca2f82242dead1a.bin")
- source
- File/Memory
- relevance
- 3/10
-
Process launched with changed environment
- details
- Process "RdrCEF.exe" (Show Process) was launched with modified environment variables: "Path"
- source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"AcroRd32.exe" searching for class "JFWUI2"
"AcroRd32.exe" searching for class "AcrobatSDIWindow"
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "Shell_TrayWnd"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "RdrCEF.exe" with commandline "--backgroundcolor=16448250" (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=4FB4583A46767C1AEC7510A4 ..." (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=75E6C5565FF09340D1DCE01A ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates mutants
-
Installation/Persistance
-
Creates new processes
- details
-
"AcroRd32.exe" is creating a new process (Name: "%WINDIR%\System32\svchost.exe", Handle: 824)
"RdrCEF.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 1348)
"RdrCEF.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 1448) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"data_1" has type "data"
"Visited Links" has type "data" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"RdrCEF.exe" touched file "%WINDIR%\System32\spool\drivers\color\sRGB Color Space Profile.icm"
"RdrCEF.exe" touched file "%WINDIR%\System32\oleaccrc.dll"
"RdrCEF.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"RdrCEF.exe" touched file "%WINDIR%\System32\KBDUS.DLL"
"RdrCEF.exe" touched file "%WINDIR%\System32\drivers\etc\hosts"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arial.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arialbd.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arialbi.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ariali.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALN.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNB.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNBI.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNI.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ariblk.ttf"
"RdrCEF.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\segoeuil.ttf" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://mega.nz/#F!GNBWzQrQ!RuD9p_PBIMwdqyQKKRooww"
Heuristic match: "qqqA\.Ck"
Heuristic match: "( +VX
.vE"
Pattern match: "mh-nexus.de/downloadsJHxDSetuDES.ziD" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Reversing_con_IDA_Pro_Desde_Cero.pdf
- Filename
- Reversing_con_IDA_Pro_Desde_Cero.pdf
- Size
- 82MiB (86410941 bytes)
- Type
- Description
- PDF document, version 1.3
- Architecture
- WINDOWS
- SHA256
- 0e529d597b8e76a09a436d269fc8fbcd4a8f457a011f3469dca2f82242dead1a
- MD5
- 6d074ff49dca13757e0f732595d4e5cb
- SHA1
- c47a75f86c863b6a8290136ca29c3f08455a5597
Classification (TrID)
- 100.0% (.PDF) Adobe Portable Document Format
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
-
AcroRd32.exe
"C:\Reversing_con_IDA_Pro_Desde_Cero.pdf"
(PID: 4404)
-
RdrCEF.exe
--backgroundcolor=16448250
(PID: 4692)
- RdrCEF.exe --type=renderer --primordial-pipe-token=4FB4583A46767C1AEC7510A4C7B2BAD1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.11.20036 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=4FB4583A46767C1AEC7510A4C7B2BAD1 --renderer-client-id=2 --mojo-platform-channel-handle=1292 --allow-no-sandbox-job /prefetch:1 (PID: 3808)
- RdrCEF.exe --type=renderer --primordial-pipe-token=75E6C5565FF09340D1DCE01A07996279 --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.11.20036 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=75E6C5565FF09340D1DCE01A07996279 --renderer-client-id=3 --mojo-platform-channel-handle=1340 --allow-no-sandbox-job /prefetch:1 (PID: 1600)
-
RdrCEF.exe
--backgroundcolor=16448250
(PID: 4692)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 2
-
-
data_1
- Size
- 264KiB (270336 bytes)
- Type
- data
- Runtime Process
- RdrCEF.exe (PID: 4692)
- MD5
- d1d12deb3ab2d38445f8b113ed07f0f1
- SHA1
- c3c2ef4b7388377c29bcd891a3503865cd92a7ce
- SHA256
- 4dc8571d95778c903b7eda4de202164c561dbb6fa768b961b6c63640e9b55269
-
Visited Links
- Size
- 128KiB (131072 bytes)
- Type
- data
- Runtime Process
- RdrCEF.exe (PID: 4692)
- MD5
- e5f299c3100e113c9343e86ed9504a2d
- SHA1
- 7865b3759d1cba84cc165aceb3ceee856f31f6e2
- SHA256
- 9d1c9dc432b2e97f7a54b4da2724e4ff96dc719e60cb89c9f82dbec9226856c3
-
Notifications
-
Runtime
- Added comment to Virus Total report
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "api-88" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report