c0ae4716b9eaf645250c6373722a3cc3b4a8cc50093264cc0f2464dc5b02b127

Analysis

max time kernel
164s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

171b25aa921bb193cb3258fcd0469bd8.pdf
Size

77KB
MD5

171b25aa921bb193cb3258fcd0469bd8
SHA1

cfe35345372d9b32d33cdb7fc444f54d9ecabbc4
SHA256

c0ae4716b9eaf645250c6373722a3cc3b4a8cc50093264cc0f2464dc5b02b127
SHA512

34a3b370f1938b1778e79fbfab1887df4f5e29631ea50b0480a6d731f70ba554fdc199550aae99c5d02ff084160b4fc62e5274b5a4456873867926934d8230f2
SSDEEP

1536:Kodp0kvB1fbRTPp/+6ZvO0xyau345NdrD1SUWkNpOP8XkXg/MESW+WqItKKF01DK:jdpzNP1+6Z9yau345NlDiP40TWsTKF0E

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
336	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe
336	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 4480	336	AcroRd32.exe	91
PID 336 wrote to memory of 4480	336	AcroRd32.exe	91
PID 336 wrote to memory of 4480	336	AcroRd32.exe	91
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 3584	4480	RdrCEF.exe	93
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92
PID 4480 wrote to memory of 436	4480	RdrCEF.exe	92

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\171b25aa921bb193cb3258fcd0469bd8.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=33B7EA76AD78B8171ADD34A239F46F72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=33B7EA76AD78B8171ADD34A239F46F72 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:436
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A2EF691845D92F20514C73B952CA4FF --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3584
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F8E629F8059CD727B2BDA2FD0BC46F4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3700
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9B2D4C495B3E509EE11AC80DD5060C01 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9B2D4C495B3E509EE11AC80DD5060C01 --renderer-client-id=5 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4104
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=078ECA0B1F701B83ADA11396DE37C5B8 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2964
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1A5861372A647C3C173B61B012506B98 --mojo-platform-channel-handle=2388 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
53KB

MD5
799ce3c3fa59a5b8d62008c53573c239

SHA1
4039565bdd3945e740f771595404d500534f0100

SHA256
a014946c5d63be6b94c0c91c77ea17e6201c9abf3679c14efbd3591d3b804859

SHA512
20509bd80c6b6d78c326f00429a723b878885b8f98aa1e2b86f8a811d32538165dd090214b608e62ed43c5fc3ac865d9f9bda8a0bb32342fac85e68474013be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
4KB

MD5
1fd5305562b0a22078e828ecd2f09183

SHA1
61a106711bcaebf8ce1cc2b124a818ed9c925ed9

SHA256
96945fb7c3168e900a363e0b6cae4c26f9e6315e6a410a304d307cd54278abff

SHA512
86882a8d82697d7a03b11282dfd3f1ac571485e1aa6c022ce30bf4961ce314407beb0968879cf7f056d64234e705597980bc20f8e5564d88b42d912e5ce6432c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit