7cd65300eefd746bafefdbfb8b855c8127491c1e95d584ee80cbc574e51bc2d9

Analysis

max time kernel
291s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCMD Workshop Downloader 2 v1.0.5/resources/steamcmd.pdf
Size

41KB
MD5

92e74080401290f0384be05ae807a510
SHA1

5d97b5a73768e0ef2d19845579aa4593675b7396
SHA256

08aa43f7d20461c0ddd5682c046d9436b731961d54d1bcd5ad4041e09582244b
SHA512

7c8f01e1f40bc3b35073c34d67facea182bfe29726dd51523e23cf68d565910b4e7784137a88b2c18f6cd96086fc04ec5054e1f8cc934a8e745116e669ee6d4c
SSDEEP

768:mcciqH3/Ye8jVXR0/uMXQOzFw6QxRgLSLXsAVyyPP8n3Fm3OqBTyqfB1BWgF:mkw/18L0/bjO6QxRqSLVs7qBOW

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4980 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

4980 AcroRd32.exe
4980 AcroRd32.exe
4980 AcroRd32.exe
4980 AcroRd32.exe
4980 AcroRd32.exe

pid	process
4980	AcroRd32.exe

pid	process
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4980 wrote to memory of 4988	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 4988	4980	AcroRd32.exe	RdrCEF.exe
PID 4980 wrote to memory of 4988	4980	AcroRd32.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 4120	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe
PID 4988 wrote to memory of 3436	4988	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SCMD Workshop Downloader 2 v1.0.5\resources\steamcmd.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C2E81A4B196742514AEB610A6C88879 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4120

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24AEFE756A6F31F4A29DF45A63B9B0A3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24AEFE756A6F31F4A29DF45A63B9B0A3 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3436

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E5D458E300E69D9545EC5F07B5A37862 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E5D458E300E69D9545EC5F07B5A37862 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E2C3500CF865600A1A4460A4404114EB --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6DD25F29B8C3A84902787A37CEE6EA23 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FD46DBF57ED581B7A241278B65EA020F --mojo-platform-channel-handle=1796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-153-0x0000000000000000-mapping.dmp

Download
memory/2224-147-0x0000000000000000-mapping.dmp

Download
memory/3016-142-0x0000000000000000-mapping.dmp

Download
memory/3436-137-0x0000000000000000-mapping.dmp

Download
memory/4120-134-0x0000000000000000-mapping.dmp

Download
memory/4988-132-0x0000000000000000-mapping.dmp

Download
memory/5032-150-0x0000000000000000-mapping.dmp

Download