89aee68be0787afe7b56794b9a9917c5ee4329e64c28ea805c0b73131b6c84c8

Analysis

max time kernel
140s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UNILEVER RFQ 5.pdf
Size

600KB
MD5

042eeb189e1d8dfc4d70c2868acb86ba
SHA1

055f61f0b56429351b64c53a9482e5c5fe39a13c
SHA256

89aee68be0787afe7b56794b9a9917c5ee4329e64c28ea805c0b73131b6c84c8
SHA512

cc7783312c8221495011ef383438f138d98427ebab8d389a654db6928c496633a4a398072e64ae10c52e1033d0a3e915037ddba4bfe123a81989506d81d5af79
SSDEEP

12288:YYurQt5ZxpFm2eq5uvIPBvsLhAZ0+LuYbvwJVsanz6bO0lCI7F5tfIcJ:TsQt5U/KvsLhAZjLhTancDf7bz

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B77D3EA0-58EE-41FD-BC5D-0981352901C3}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{36FA0331-6B11-4D7B-ACCE-C96959E429E4}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F9D9A7B7-1774-4600-ACCB-1DE4B80FFC58}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0C5F9D0B-D06B-4B72-AFE7-8C5737D2FA63}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AB9586B7-27FF-44DE-AB37-792805087C63}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B3053532-FE6F-4C7B-8250-857710AA91BB}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8B2C43F9-F36D-4CCC-9721-C9308CE0518A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D993DAAB-EFFA-4B63-AB48-BF85B545AFA9}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2560	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 4024	2560	AcroRd32.exe	83
PID 2560 wrote to memory of 4024	2560	AcroRd32.exe	83
PID 2560 wrote to memory of 4024	2560	AcroRd32.exe	83
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 2140	4024	RdrCEF.exe	84
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85
PID 4024 wrote to memory of 4440	4024	RdrCEF.exe	85

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\UNILEVER RFQ 5.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3506780F1464ABF7BBAA6AED3D76296 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2140
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6AC38B2A0DF5F4F1B9E777A402032667 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6AC38B2A0DF5F4F1B9E777A402032667 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4440
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BDBBFDED9B520524D3111D65D3B8D844 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=90A8C831CBB01B3D913DE183ADCED3A7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=90A8C831CBB01B3D913DE183ADCED3A7 --renderer-client-id=5 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95F4CBC2637EDEB59D790E9CAA51A06B --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A6C7ED7D31A4ED14D1B83F98779B59E0 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4fdf1ff0c782ef1200cc4d810b4e20ea

SHA1
1c2a45c24b6a666bb51cc58d385169e6edf53a98

SHA256
f026d6639e16cc591f81c3525bf6ea621b29a2f30f751e1f76a458078b5786b5

SHA512
880ec5310a9932ca4c213f284fef66d1adc1c2bf0af286c138fb18926f49d398c1734a4e19f91cb90668f70156689025ea352e64c185966796859e0821b396b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
bf7cc29569a1a43fe6928240cf4b4182

SHA1
358247d4a8ae6e3ca36a68c1407b35104ea33c94

SHA256
c55439ca28cc6e51c5b65ff19a6c8f94a07e7fc00406fa69fdd11b0fff3c33e2

SHA512
5ed3b009d5b07ae65d41826f55e8c0893b41151b1025ff1c621f3704972608274822159b21696ffe084a98fffb8df47fdbc40c316189a0d30f3a78f41d27660e

Download Submit