9c84065a5d4f51b2126eeccf0a5f9a9491685cfe2aa1bef31b2d5ba3e845e331

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9C84065A5D4F51B2126EECCF0A5F9A9491685CFE2AA1BEF31B2D5BA3E845E331.pdf
Size

127KB
MD5

3b7a188a90d43e73f84aaba817d8a899
SHA1

5fec7cc422bdb9959659e8181ad958391f0f2377
SHA256

9c84065a5d4f51b2126eeccf0a5f9a9491685cfe2aa1bef31b2d5ba3e845e331
SHA512

6e127c1064be5cb5a8e6643eeb3723270786c6a8fe9e0172407ab5841cdc8cb2a71c0e3ee678b6365cf94fb1188d3b28de6e8fc43c30aef2ec12a62f85e4c010
SSDEEP

3072:7FF1uHbxaY8P3QYYYYYYYYYYYYYYYYYYYYYYYYYYYYYyqPcOxbzsg3c6:31uHbxaYs3QYYYYYYYYYYYYYYYYYYYYI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2756	AcroRd32.exe
2756	AcroRd32.exe
2756	AcroRd32.exe
2756	AcroRd32.exe
2756	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3536	2756	AcroRd32.exe	91
PID 2756 wrote to memory of 3536	2756	AcroRd32.exe	91
PID 2756 wrote to memory of 3536	2756	AcroRd32.exe	91
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 3968	3536	RdrCEF.exe	92
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93
PID 3536 wrote to memory of 2352	3536	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\9C84065A5D4F51B2126EECCF0A5F9A9491685CFE2AA1BEF31B2D5BA3E845E331.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3FC7437940A112C5E5E145AC2F2D53F1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3FC7437940A112C5E5E145AC2F2D53F1 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3968
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=81FC34E7F8DE9C9FFB47CBD9703BC46F --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2352
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6F3FCA88DD4B9D66F84B25841D974982 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6F3FCA88DD4B9D66F84B25841D974982 --renderer-client-id=4 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B6CA401929922D0CC7A0CC1377359BB1 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9669978400F7A942E1664DBF3EFA5AF --mojo-platform-channel-handle=2128 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4728
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4FD06A7607D568320EC54CA9939FAC72 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6941c7aa33073d0c4e65e32f07fb3ab8

SHA1
8db4a4c81ff992d2084c42626a92cec96df2b93c

SHA256
43c23e7455db970a693aed7ac8f2757137eb2c032469d5cae16b1106c4148f0e

SHA512
c48fb01ddd5d0e4cedeead722180b9b6f891cc3cc70366bcd99ac73849d024b1a22412d1e143333c73e068c5056ffade15fc7a134b8c6b407335cdc479311802

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1a525204b0454812d4b417af3c50ff01

SHA1
a47049513532f95aa08377a580760f14bd8a1e16

SHA256
ac2f88d31064bb0a33ec067b5595e1a816942a1ffad6c09bb4aa4158ee8fae1d

SHA512
61e5d39ab1d49ec496d8e135d0e40f330dba33684fbf3f867d59b201cef64d1d6d08262be09efe4389f18a759b515562139340fc85dc59c7fd15628400b36cb4

Download Submit
memory/2756-220-0x000000000A1B0000-0x000000000A1D1000-memory.dmp

Filesize
132KB

Download