9af2af6ac5ef1ba446670e2f8beac91b32e236b08e3b021c2bb41613c4ba6fcc

Resubmissions

14/01/2023, 06:35

230114-hcf5lsbb55 3

14/01/2023, 06:31

230114-habr4sbb27 3

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2023, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Official Trusted Traveler Program Website _ Department of Homeland Security.pdf
Size

92KB
MD5

930215ca0e81646a84d218e22bd107f3
SHA1

df3239d35398bb7d2f1d16e16f0cd5583830d747
SHA256

9af2af6ac5ef1ba446670e2f8beac91b32e236b08e3b021c2bb41613c4ba6fcc
SHA512

9b2892696950926cdc578bead1af39f96004e8496ee271e3c0617a72dd6a8a5cd8d76781ac8a284097461a84ded97ed5f20f95d1128012030418735d84905b45
SSDEEP

1536:KRFlo/dCNd10+gBLhAEInUiUSkywfimyPYjahPBYlYkoGrnq5/F89YZr:KnlwdCNP0+gcUSuivwjUBOLo2nq5VZr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1316	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 916	1316	AcroRd32.exe	81
PID 1316 wrote to memory of 916	1316	AcroRd32.exe	81
PID 1316 wrote to memory of 916	1316	AcroRd32.exe	81
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3496	916	RdrCEF.exe	83
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84
PID 916 wrote to memory of 3716	916	RdrCEF.exe	84

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Official Trusted Traveler Program Website _ Department of Homeland Security.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BF200748872C37B8710B2CC4D44507A4 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3496
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E1E3D232721F2F3A9BB66F212FD8E62 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E1E3D232721F2F3A9BB66F212FD8E62 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3716
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F39B42F0A056BB31EA04F553BBA61101 --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2300
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A974EA17350273DA74D2C797C14B479 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C42E4B8D95181528E55693F630F1940F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C42E4B8D95181528E55693F630F1940F --renderer-client-id=6 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8644D499DCE083229B3EB37F62E21807 --mojo-platform-channel-handle=2020 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...