f897cd76acf3e76b939b71b7e2fb985f2787240a6c8f10d5d28d8a826064a5d1

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f897cd76acf3e76b939b71b7e2fb985f2787240a6c8f10d5d28d8a826064a5d1.pdf
Size

2.6MB
MD5

2bb6d7c7e155726718c6d1340ffcc3fc
SHA1

d1507bca18a1a1e287b7dad5f69617cab4834c8c
SHA256

f897cd76acf3e76b939b71b7e2fb985f2787240a6c8f10d5d28d8a826064a5d1
SHA512

3e7cb5c5e1c9ee45b494538092e3e504b70600cc96f4e0c8801c52119cdf5fb35f842a8ae80d2572d849ae1dd01040e2d7e688da948b743fb464d22b4048f169
SSDEEP

49152:XsIgk7IANjnlo0oKar/y4H85Nsap6EsRmzsvuFV8uzSQhf4Rkl7ni:cV2IcXoPszYPuzVp4Ki

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2176	AcroRd32.exe
2176	AcroRd32.exe
2176	AcroRd32.exe
2176	AcroRd32.exe
2176	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3912	2176	AcroRd32.exe	90
PID 2176 wrote to memory of 3912	2176	AcroRd32.exe	90
PID 2176 wrote to memory of 3912	2176	AcroRd32.exe	90
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 60	3912	RdrCEF.exe	91
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92
PID 3912 wrote to memory of 2640	3912	RdrCEF.exe	92

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f897cd76acf3e76b939b71b7e2fb985f2787240a6c8f10d5d28d8a826064a5d1.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=809EA51D82C1FE3B27750B868D811622 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:60
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=344395F6EFFDB45D6C523DA402194D2C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=344395F6EFFDB45D6C523DA402194D2C --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=11A3B8ED3B69631FB262545F9F50EC41 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=11A3B8ED3B69631FB262545F9F50EC41 --renderer-client-id=4 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4504
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2166A96AAFA0E1ADFCA1E41E1BB46712 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8B34AF89CDCAA84DBA21296FA803C59 --mojo-platform-channel-handle=2644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5766F636C31FA7E2E29091CB1BEA02C7 --mojo-platform-channel-handle=2516 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a177c7b6c479288d63779c8824078ce5

SHA1
c2944a39d8316c8011acc144e8270c3d47a5bf0b

SHA256
f0beb1a1f64447999a7ee6d0b9fc380665de8d03c5eab33dfb60be050048873b

SHA512
e704bed8926100a8aa2411e384e451fa672d7dd3961a581dc4fa4532a98f0af0d5b7668d133b979873fc1e52cd2b2c8e233beaebba42c74c4939db508c614db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7460833fe710a9180cb4efa581f57816

SHA1
e575eeb41207e784bb8a2047bd1fe47cf613f0d1

SHA256
fea7202c69a0e2e8948334e032e4665eeb024e7d30969227340ea626f39f3d60

SHA512
5c51fde7be6d3a1134f87377ce71146a14634d6468adf39035d8487f4e23977cb9dfeb262909e895261c7cf7012d39c782c59ca51412a49a9184857ac52ae29b

Download Submit
memory/2176-162-0x000000000A510000-0x000000000A531000-memory.dmp

Filesize
132KB

Download