3a6ac5275277225c96bfac3e3bd0e3c48ec684b056081598163c5dcbe57a2946

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BWXW9XJanX2023X-XShortcut.pdf
Size

1.3MB
MD5

a1a0b21652151efb78fb399d476ebf1d
SHA1

ea865a1f21fa599349c87dc24a251fbe0902b102
SHA256

3a6ac5275277225c96bfac3e3bd0e3c48ec684b056081598163c5dcbe57a2946
SHA512

0103fd7de17258f73c8717d2c6af7fd996e627e9e262079dc23fd089b6db9c45bc7ac0f6990815ecf61be966e47e760d22c5b8e6f9f75f3ed919423f98b7b19a
SSDEEP

24576:du6Rr1kKdJ/6CcP6DqWvjSOtazuI0P0g43UOnNcx+TxEZhQN1DUhqP6:Uy1hdoCGWjSOtaud0VKx+2ZyvyqC

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3660	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3876	3660	AcroRd32.exe	85
PID 3660 wrote to memory of 3876	3660	AcroRd32.exe	85
PID 3660 wrote to memory of 3876	3660	AcroRd32.exe	85
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 656	3876	RdrCEF.exe	87
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88
PID 3876 wrote to memory of 2264	3876	RdrCEF.exe	88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BWXW9XJanX2023X-XShortcut.pdf"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0471E20AD41C824CF068C518AD72515B --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:656
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B2325539EACF85370CBE84DB22374FD3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B2325539EACF85370CBE84DB22374FD3 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEBECD626B0E4EFB5FCB56761B86887F --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1136
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=68FEB4B8EFCB1C7C72A17B5D9F805121 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=68FEB4B8EFCB1C7C72A17B5D9F805121 --renderer-client-id=5 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65F89706D7064D48DD37F4DCC9EF3399 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC74A81264AEA431C896B57E30E2BBD6 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7271fc7cb3e2d392e8dccf729f4c6c9c

SHA1
cc319a06de8d1687c91850d599a85bd38a587b23

SHA256
52e89592c723daeb5fe5326334a5a13f9f5a3edce184a179ae6ca381bc4be021

SHA512
69d8f4b18a3c36125d866f438a5ea238206c489431ed4b1a4dbaf82bc047cd4916b3ee4040fdf144998fbead26b8619df42c5fbc1b512861b7bed6448c9e4e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8330c137b89714ced2eaaa794ccf0292

SHA1
d56e3dba7b428dc514c609159109d97d7ae8e294

SHA256
9cd44cf68faaaf7055a728fce53a8028aa3b2793f8009536c0b596f645358d76

SHA512
05d54e486174db5776929b5b8b9136ec48cb2d6d7a46dec6ad796d8141ca0c228eec2e3bbd5253ab65d8f6311c9754b943504fbfdcddafd03d106d13c8a38957

Download Submit
memory/3660-162-0x000000000B510000-0x000000000B531000-memory.dmp

Filesize
132KB

Download