8cbcf688d8cf2be8cfcdb397569fc979c8ac591b7a8d0056e897093ef069ffc6

Resubmissions

15/08/2023, 18:42

230815-xcjytsda27 3

15/08/2023, 18:09

230815-wrmgtscg74 3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

whirlpool/A/Whirlpool-cover.pdf
Size

35KB
MD5

03944b6bc43f89a1c2df004466f91900
SHA1

76f6e379530c586c7eba54d194cb6a889356e46b
SHA256

80766b769a0846bc8892da25f018a6d170de2982312abcca4c3ef007cc7a8c5b
SHA512

86ea1b8874cbc887feb8af06aa55d567c6fa8cf81d4244825768c6fc23cdaa4c7a0913bb10ad42ac97381af9f266728b89c36a29977208a6f079a48af9f2ab8a
SSDEEP

768:y5C1R7R7/im1+soMaEbNw4jvZ3YgDjfRr74QP4Oc2JXDOJMw:yyR7R76mxnZw4lZYQbJk

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3940	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3940	AcroRd32.exe
3940	AcroRd32.exe
3940	AcroRd32.exe
3940	AcroRd32.exe
3940	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2432	3940	AcroRd32.exe	88
PID 3940 wrote to memory of 2432	3940	AcroRd32.exe	88
PID 3940 wrote to memory of 2432	3940	AcroRd32.exe	88
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2520	2432	RdrCEF.exe	89
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90
PID 2432 wrote to memory of 2948	2432	RdrCEF.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\whirlpool\A\Whirlpool-cover.pdf"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B3C62FFE96BB5C52A9B9824F25D0919 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=94270C779F9D291C4C74F17A72346737 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=94270C779F9D291C4C74F17A72346737 --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0F094BC7549CA9771675201D1BD931FD --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BA8867AAA55616C37F48BD23AE2702F1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BA8867AAA55616C37F48BD23AE2702F1 --renderer-client-id=5 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D221E6CDCCC2F5A106F712327F483AB --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C4F57C58C5A9AACFE1E9745A560B89D --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
851bb13571e7bc6b4c92982275458d2b

SHA1
66a010d69280470895f1a5c18e5c18821448042b

SHA256
9a46c4b2f04f4ae422ed2162b667d4d7e95fa47487b5ddca61a727939dc373e3

SHA512
84b893e0b28bf7c3fc0358f058119ac0cc0e8be6efebc5d6e1d0b719104a0df36fe1423b449290aa10cb4ba8826d15aee3bb38fa23ee8d1d72478d2a5bfe3c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4687a20560cdf901a70058e985d69f0a

SHA1
bb485e473b79ab693e8a5fbeaa8c82084b5190c3

SHA256
96c8e80c99681513d1fcb8c62b07a356e651ff63ed917f22f4adda358b15051e

SHA512
e52d8353c8832d420d78e9ebdd71c9d27eb493778d41cdcd075d9756c9a2b54af45842eff216f57e96629f82040b5ae8ecf419ef3ec139c8f68d648ef7bfb798

Download Submit