5ab463d8262c4e6fb4c4d592195846e2694ffc20524e616748826a0ca0f155ac

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1483603b29ad5691133580409bff1163.pdf
Size

94KB
MD5

1483603b29ad5691133580409bff1163
SHA1

204dbdf442e8588e7985c563e15e9ca4009c6bdc
SHA256

5ab463d8262c4e6fb4c4d592195846e2694ffc20524e616748826a0ca0f155ac
SHA512

c7fc737dccf6cc0d948a45fd8f087fb67d2bce3996cfdacc1f08e77d4c21bf5ebd4217aa3bb3400f4f146881c524d741ed5465d4f9c533a1fc4f28e8e7a9cc6d
SSDEEP

1536:WRYt8B3CQ5w0C6pyl429Oki1fj/zx+roXHw2yDpPH4slaM4RPuxNcErizns+tonw:4YHQ5w0C6uO1b/0v1g04Ru5riLTx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3212	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe
3212	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3200	3212	AcroRd32.exe	91
PID 3212 wrote to memory of 3200	3212	AcroRd32.exe	91
PID 3212 wrote to memory of 3200	3212	AcroRd32.exe	91
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 4044	3200	RdrCEF.exe	95
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94
PID 3200 wrote to memory of 1268	3200	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1483603b29ad5691133580409bff1163.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CB69C72454BF01C844D87E50293241D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BA17DAD34F15BEAE82635A024A7559A0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BA17DAD34F15BEAE82635A024A7559A0 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82B6B7F9AA1FBCC9FFD8F26CEBB1D93C --mojo-platform-channel-handle=2452 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4B181D6D00789EE2E6999108B85F0B3F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4B181D6D00789EE2E6999108B85F0B3F --renderer-client-id=4 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2296
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8D75E4607DEB7324BEAAD833C4827CE --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0ED764E34242E2391572E0E4551E8C43 --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4448

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
17KB

MD5
3e992b0f6c925ce9b1915308abc9cb18

SHA1
ab91937c92558143ed637ffab9e140ef7b4ee3de

SHA256
643bf0b3f2e04b711b94610679bfa13b0670a5452504fa7b78b61b7c6aebe0b9

SHA512
d0d0e119bb25fbeed1191aa7889118f7acfb11e12a142223b00c7874ebbc15f3effb9224b1c051a62bb39ba283220ed582f6af4137ec6f2f88e91997b9fc5f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
8KB

MD5
99e95751c5b98d828ed804cd6b7fdc38

SHA1
81080d85902f6da634489af5c0bf608e7beb1cab

SHA256
8d1c1ce4c58fa1e791cf4379ff3e0bc2117f3bb9914ee2875d73f766927d3e84

SHA512
930a3645e35c4f10d9eadfc84b9d2920ec0da774efac07c5754f0ff379c23e444ccd5f6446b8b0fa85aac082cf27f920b9be5fc6b8006fa871d64f19b1a90c49

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
43KB

MD5
4870363129d54935703dbd26cc236e4b

SHA1
f12127386d9a21daf56c43d936e1d89ab96c6ef7

SHA256
f5f980f9ff5cb66e9f0627dc9e8fa72e0b99795db6cec7205b94b71246182fce

SHA512
2e2c65bb5a32d465eb7d0502ed57bd513116741587650a7db04b34191828a55e72f2e0289ba610128485ec95747858c0104f9d9ce2da96bcbcfae3ae63922e33

Download Submit