06036f5ab05067347810e412a927288f97fb94975367ae0a8f8f8c6111c44ebf

Analysis

max time kernel
140s
max time network
141s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
06-11-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mastering CMC Compliance.pdf
Size

218KB
MD5

4d4a1e6fcd32c0a1753c53e2863952b5
SHA1

bb11920c2673828dc8197f04aebf464bf2081084
SHA256

04b6a5c8ea4701a1987d4af46432eeb760903bb05191e08cca1c3528fac71486
SHA512

3b00c5903f022426dec6c73be51074f182c6ed472ddaa90fa720c524c58ae9f38f921deab4421e863a06d4a83038da6ddf59fb88ca7f61b56e218e52eeb73cb6
SSDEEP

6144:o8dhY9u8KmC+5khLIa8YYoG0qgqQiEY2LR505:3hsnx5khEa8YYoG0nTlLs5

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
716	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
716	AcroRd32.exe
716	AcroRd32.exe
716	AcroRd32.exe
716	AcroRd32.exe
716	AcroRd32.exe
716	AcroRd32.exe
716	AcroRd32.exe
716	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 2244	716	AcroRd32.exe	71
PID 716 wrote to memory of 2244	716	AcroRd32.exe	71
PID 716 wrote to memory of 2244	716	AcroRd32.exe	71
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 4916	2244	RdrCEF.exe	72
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73
PID 2244 wrote to memory of 5064	2244	RdrCEF.exe	73

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mastering CMC Compliance.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:716
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=269F223E63B11E57D8E3DBDAF3F7BE03 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4916
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=45C59F23DC91A611D2395405CA42EC74 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=45C59F23DC91A611D2395405CA42EC74 --renderer-client-id=2 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5064
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=091A6E256CCC26B28276D4805F7BFD26 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=091A6E256CCC26B28276D4805F7BFD26 --renderer-client-id=4 --mojo-platform-channel-handle=2224 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3516
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91819D47D1CD02441070350D696A76F7 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=095A08317BC0F12FE821E0AD5EE24A5C --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4224
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A60643FF7DBF9ADA6B5F2776D1987651 --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3776

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\29d5d6e904fc43db80427fe07e7ec442 /t 2212 /p 716
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2963f3c1190dcf5c79f618e49def535f

SHA1
66d12ad8d7ae44a45eebf56f139ae17d4205c9ab

SHA256
2bfa96f70d9382b60361a656894bfa40b426fe392cb284ec2774dac84fe5c1d5

SHA512
50225684a6a09a10bf8bae753527c752122f771659a0e32e449c18d90c14b77f5381fbd15cdbd9e78697e381d9498bbddfb7192801f45bc50ffa74ecfb611929

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
22c4db43d4360864874637c5159a36b9

SHA1
c8aa88ccc69752bd967659af72213df3a213ddb7

SHA256
9f48ad25441ef41048a191594de97cd598936613cd3b61263de46ca3f2c58a6f

SHA512
fa1080c5d57e1d754fb932813b2e0b8093e505146a26320d2c612b119fc449897e3f43dfc5717991c37b8b1e6991693807165aa0250b0140f45c694ecc8bbfd1

Download Submit
memory/716-35-0x000000000A210000-0x000000000A231000-memory.dmp

Filesize
132KB

Download