1e2b00f429eeb003e63f72d5a5953afc583b6b15e9aaa6ae82ee34459c96c0e0

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb0508826156812c9199ab990dc0b96.pdf
Size

36KB
MD5

6eb0508826156812c9199ab990dc0b96
SHA1

4b0daba2076456c97880b122ec33991363208e4c
SHA256

1e2b00f429eeb003e63f72d5a5953afc583b6b15e9aaa6ae82ee34459c96c0e0
SHA512

30a84be183f96e7db3da8562b7f1d6b08f37a4754bcab62332ca666670fc1a428def52fa339c66c8eaa1b79d4ef96aea35b1b4aed48108690bda3715d5ac2978
SSDEEP

768:NPFYyPGkcfZOIspu9U4bveRdWZ7/fd4SOW+XHoMwbbWqglNNAB4G2FHy:RmeGkcU8lbmu14SOHoMwHTglg4XFHy

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1372	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 5084	1372	AcroRd32.exe	95
PID 1372 wrote to memory of 5084	1372	AcroRd32.exe	95
PID 1372 wrote to memory of 5084	1372	AcroRd32.exe	95
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 3840	5084	RdrCEF.exe	97
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96
PID 5084 wrote to memory of 4808	5084	RdrCEF.exe	96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6eb0508826156812c9199ab990dc0b96.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BA7D2BD76DC01F1DCDF0DB4079B31A2D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BA7D2BD76DC01F1DCDF0DB4079B31A2D --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71C44AD5691632E5B5096632E009DF2F --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C7D6B54AE33B63C42E266BCDB2C9C2BB --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:8
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7FEB34AB6381DA5DE008955402D5AAE --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3340
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9523EE1F096EB2B507484C0B9EBFC57F --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=33B4D6D1485BB5954980EE72FF49E812 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=33B4D6D1485BB5954980EE72FF49E812 --renderer-client-id=8 --mojo-platform-channel-handle=2384 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
1KB

MD5
7319b126796069e135d3fd2bbaf5d3eb

SHA1
7ed290ba43dba5a49082025335aec8111aeaa0f2

SHA256
d9b3defaabe76765a363ea9dfc3e3b598f08c9eeff5becabd5bb24d3b91e5062

SHA512
ff0f8dd4473a4d6f1fc5b330f27e5275d8ce71b9f08c646ef6053eaaed8d3264fffa703d9b6ccf29d48cc5a13a1d5070e78d39fcdd0029f9e03bf2fb66bfb437

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
19KB

MD5
a79cdc297497889f76ca0c38de68bf1b

SHA1
c0e063c65a77af9fb84192b9ca3b8b4ad186a010

SHA256
fe56bb4d316fc035da3a2b4ac9e56b75fe0ee25eeea1fde7c800f00f0ebf67c6

SHA512
cedfeca1f532fb2969ae0a6aba4ac97cd537234e4b94c1766ae82ab4c220002f3d7d0e6b43ab0b0009b66e4e76342dabf087392c4cbb4314629bf6abfc9bf121

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
1KB

MD5
d0df5f9974138501424cb06472477adf

SHA1
9d143e2c9c48327c6fa0b4f2fb65be982037db51

SHA256
6c3615c908cb98afc062e70b7f985bf7b667fd8540a25824aa07a14b6b6a05d6

SHA512
9a7d8b47a8311e00ba206fee9bf0d42991a0caaf43492ea067bb6c9eb333a3231a35bae1efcd95add82d6dbfcfef5e10d42c084b9e73c5fdd7eadf8131324617

Download Submit
memory/1372-26-0x000000000A480000-0x000000000A4D0000-memory.dmp

Filesize
320KB

Download