9af2af6ac5ef1ba446670e2f8beac91b32e236b08e3b021c2bb41613c4ba6fcc

Resubmissions

14-01-2023 06:35

230114-hcf5lsbb55 3

14-01-2023 06:31

230114-habr4sbb27 3

Analysis

max time kernel
289s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2023 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Official Trusted Traveler Program Website _ Department of Homeland Security.pdf
Size

92KB
MD5

930215ca0e81646a84d218e22bd107f3
SHA1

df3239d35398bb7d2f1d16e16f0cd5583830d747
SHA256

9af2af6ac5ef1ba446670e2f8beac91b32e236b08e3b021c2bb41613c4ba6fcc
SHA512

9b2892696950926cdc578bead1af39f96004e8496ee271e3c0617a72dd6a8a5cd8d76781ac8a284097461a84ded97ed5f20f95d1128012030418735d84905b45
SSDEEP

1536:KRFlo/dCNd10+gBLhAEInUiUSkywfimyPYjahPBYlYkoGrnq5/F89YZr:KnlwdCNP0+gcUSuivwjUBOLo2nq5VZr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3960	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe
3960	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4432	3960	AcroRd32.exe	85
PID 3960 wrote to memory of 4432	3960	AcroRd32.exe	85
PID 3960 wrote to memory of 4432	3960	AcroRd32.exe	85
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 5092	4432	RdrCEF.exe	88
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89
PID 4432 wrote to memory of 4980	4432	RdrCEF.exe	89

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Official Trusted Traveler Program Website _ Department of Homeland Security.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C696B1CA5E47195C8CA34EE9CA9CDBCB --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=185D79D5F91C09482F96C2969FD50392 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=185D79D5F91C09482F96C2969FD50392 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8173EDA5F569DA34C63F9598C841F9EF --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4220
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C3243752AFC7959D1186A278DBB237D3 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2440
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=51D6C14A752907C48B3296103F3EFD14 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D9E9D4F5CD086D626FB886382E23491C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D9E9D4F5CD086D626FB886382E23491C --renderer-client-id=7 --mojo-platform-channel-handle=2012 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads