9777bfba8aec841c3ae8f6a43a5386342f68a34c68bdb903e2113f08586d8450

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AUTO-30936.pdf
Size

7.6MB
MD5

36984fd0af5e47d5a2a54cd52247baa5
SHA1

bb01334d21158d7fde1ba8c20014f94b8be41212
SHA256

5278d96b96a67a216e0388cdbc6a3c27236defcffe02917f7212970e188c4781
SHA512

42010b0a5fcf1b896f007cc8077645a543ae83dd5c9e7b7ec01a54c58b65420dcc1773ff81614655719be6f233827114bc444ee62111a84381d420dee2c5e94c
SSDEEP

98304:RoXoeCmQP5wVX9THdn9MQvloeCmQP5wVX9Eo1Hdn9MQv1Hdn9MQvEQqT2m9n/BoF:RCWmjNTHdDWmjNEyHd/HdHvm9JoZj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1896	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1896	AcroRd32.exe
1896	AcroRd32.exe
1896	AcroRd32.exe
1896	AcroRd32.exe
1896	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2280	1896	AcroRd32.exe	90
PID 1896 wrote to memory of 2280	1896	AcroRd32.exe	90
PID 1896 wrote to memory of 2280	1896	AcroRd32.exe	90
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 4108	2280	RdrCEF.exe	91
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92
PID 2280 wrote to memory of 3952	2280	RdrCEF.exe	92

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AUTO-30936.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5DBC10FE292A63B1FBD261FEE9E644AC --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4108
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8BAF2B46BF09E533FA91B5A34E9911E9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8BAF2B46BF09E533FA91B5A34E9911E9 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8FBD99D1A13AE71518462B1EAAB33406 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8FBD99D1A13AE71518462B1EAAB33406 --renderer-client-id=4 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C20A8E83D558B91918CA241C12FCFDC2 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1368
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07263C75EFDEF145CF3A830E012D16BA --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4100
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7AEEBE6E526C938EE37E54FF8A96B88F --mojo-platform-channel-handle=2824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e7ac80b13e5c4500621db97e26bf3d18

SHA1
287d3d54b86fa5cd01ef9774eda6b7f72242c8b0

SHA256
01e6f64e11175c8f7b756a467b9b5b4342809e19a5dcd3aea4fd471bee534f3b

SHA512
7e658dbd35860dae86c54ae467a2ec1ea34c468f2da5a349208ab5fa1fff44ec80c3c90b18b461b7a7d34b563a671e930bdbb8bf408ed3a90fa631665ac8ae12

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
05d78fe25858115bfc2b1b213d871417

SHA1
ff745a77c9f22944dba513aa725894ca58889753

SHA256
430d85aa6cc6533458c3eb1bad628ae7d8d6243c1766e0767c830322afb5ae7f

SHA512
557605edd77cb5e28dd706158205fd1bbd7ac1ebebc27a9fda9540630554d1d6cc5200894eda5c4ec9e914a4288e04026ca078efea3d3bad34163f95aacf89d3

Download Submit
memory/1896-162-0x0000000009620000-0x0000000009641000-memory.dmp

Filesize
132KB

Download