0edec6e062c24538a01136f92636b5cfbb012f62109376df93e3797c43c629ef

Analysis

max time kernel
168s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

679ae0cec7ee689bebfaad920ff17d97.pdf
Size

90KB
MD5

679ae0cec7ee689bebfaad920ff17d97
SHA1

b4b8215660209a6719b75391b1a64bf1880c0537
SHA256

0edec6e062c24538a01136f92636b5cfbb012f62109376df93e3797c43c629ef
SHA512

6729aff278bfcd00665bb72c3e206c3f541270044ce2b5d78aff7c7bb6f7ecea930dd4312eed52a30706d08a30e019cd7e1488f5036e96a6471ba03ba1eac916
SSDEEP

1536:lhylyq9WwYvmeBbvKz6pKkk929WC/VTOPmw8+EaAhZLfBPUNSWkNpOP7YWlWkj7i:t3wYeeNCzQKkk9sWYVTOPE+EaKdf6N32

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1304	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe
1304	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 4360	1304	AcroRd32.exe	95
PID 1304 wrote to memory of 4360	1304	AcroRd32.exe	95
PID 1304 wrote to memory of 4360	1304	AcroRd32.exe	95
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 3116	4360	RdrCEF.exe	96
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97
PID 4360 wrote to memory of 824	4360	RdrCEF.exe	97

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\679ae0cec7ee689bebfaad920ff17d97.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=77E54AFF42B5CB45345B0B93FBB708F9 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=56D3C49376BD51C2CAD262053FF854B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=56D3C49376BD51C2CAD262053FF854B2 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:824
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5E0679EACA86D20430A5DE92FD8323C --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2876
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=442D9C82987DC1DB8E2EC1E6F5F39E88 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=442D9C82987DC1DB8E2EC1E6F5F39E88 --renderer-client-id=5 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E9DF3CA5DBDCEE24834B302F9DB4CD7 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=67AC8D38BF55BCE716255E4ADF8876F7 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6f2c000b311bd581d1d4e43745318a41

SHA1
e8fce9d3cc9c55bcf5674901f7fac2cb9129be96

SHA256
4a84c696a06479763db8812f30e1ac6e0eb96fd833350eaa894536efd515b941

SHA512
25e2ecf19b194ce8c733b01e3755aeb0694bb8a3773ab02eacff86d04f4411e7598d74fc1e0e363bad26f8e26d7eaab22b00ea3fd85017a4eb0c27908f2c63f9

Download Submit
memory/1304-28-0x000000000C390000-0x000000000C3B1000-memory.dmp

Filesize
132KB

Download