65bd597bfcf5afdf2f63a084aae96f7145c7c83b6c204b9541633f2dbfccda68

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phishing.pdf
Size

107KB
MD5

1a81a612d4139ce719e63683d283478c
SHA1

149c18c37640b6487a0326abc951a4a7283c42ff
SHA256

65bd597bfcf5afdf2f63a084aae96f7145c7c83b6c204b9541633f2dbfccda68
SHA512

b1f395ed0fb88b2f2e9c6b9fe1c3f4c953117e842c9f294d4b1741709828881ea953c9f03b83cef4587aa64a7d6f7387afbe56aed59e33379e8cb8b492b1b862
SSDEEP

1536:9yZ96SH7RbBcq/hBOitOOdG538OZU+KaSxtLRU+9S/BqK365UBmA4t:4ZXbBd/zLdy38AU+1SBU+wT3KUBmZ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1532	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1532	AcroRd32.exe
1532	AcroRd32.exe
1532	AcroRd32.exe
1532	AcroRd32.exe
1532	AcroRd32.exe
1532	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1004	1532	AcroRd32.exe	86
PID 1532 wrote to memory of 1004	1532	AcroRd32.exe	86
PID 1532 wrote to memory of 1004	1532	AcroRd32.exe	86
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1168	1004	RdrCEF.exe	87
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88
PID 1004 wrote to memory of 1984	1004	RdrCEF.exe	88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\phishing.pdf"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15FE062FA309C5D6AE763517B0FD6DDE --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1168
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=30AAF3006C624C5913DE9F37706D176A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=30AAF3006C624C5913DE9F37706D176A --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D932FD5DA760465571873051085F090 --mojo-platform-channel-handle=2156 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8A01B6F38A505B7217E93C068621060E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8A01B6F38A505B7217E93C068621060E --renderer-client-id=5 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3476
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5DFEB8DBA1E5F5E45EA03C248193784 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3144
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A060A3AEE0AE9EA022992AF69F936DEE --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
cfd3df3e9d8f5099b6531ff4047ee4e5

SHA1
e54f6d5f331a6ba33433ad4aeaef42ea6c99d386

SHA256
a19f92e9d97619a40aa0a24ef9059d929e9697cf5069d48cafe58114c19b4bac

SHA512
a81ea59bcb11d6493f9f5b8eb5c4e843e2ceaaef01b24cff7ab2b754952d77c10ed9a9339021de64dfa363f0a50f6f5b427f9d68c8c1fe33cbb57cc5f784c2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5441ab67e32f0f9a758a0311959db2c1

SHA1
3e679c840c92360dd2a68a1b0c006ae8f086b306

SHA256
a73405d8b95420a520a15a53235d31bb998d768e92273f36c46fb3e0190bac12

SHA512
eb76c933bbd46721b73d3bf789c78e3e4a5dd7e619612ed18e32ed09857205d9c0c05047cb33b78c77972ea1a50bee9bfe0e19d158b40441ed5c9898862d9de2

Download Submit