352ba5503deee5f4eddd5a10124de1aa1543f977efb1e233da454b15d192c0a5

Analysis

max time kernel
45s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca2fc17d16a882640565341be4a7d31.pdf
Size

90KB
MD5

3ca2fc17d16a882640565341be4a7d31
SHA1

dab1d8b87292b095c3ecd5f0e0c540ea74de0792
SHA256

352ba5503deee5f4eddd5a10124de1aa1543f977efb1e233da454b15d192c0a5
SHA512

cbf223df9c6ef618dbf97b0ba46cb0acc2a6dbe88f6852b052a3fc38f43a4b29e31b10a46a7e9aca9a3899961233fc079d7945500357fdb9acd154aca245386c
SSDEEP

1536:QmRzpfUgpvasTZjymlQLuWh0T7mkOlIhYK1WOcxTGA9bWQpOCoWZa1ZcDQe9Z:NnvzTZjAqWO5jsxR9GCJa0EU

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2212	AcroRd32.exe
2212	AcroRd32.exe
2212	AcroRd32.exe
2212	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1760	2212	AcroRd32.exe	99
PID 2212 wrote to memory of 1760	2212	AcroRd32.exe	99
PID 2212 wrote to memory of 1760	2212	AcroRd32.exe	99
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 4156	1760	RdrCEF.exe	102
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101
PID 1760 wrote to memory of 3296	1760	RdrCEF.exe	101

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3ca2fc17d16a882640565341be4a7d31.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=77D57072F430C84F2BC8133AB2B44679 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=77D57072F430C84F2BC8133AB2B44679 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3296
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B4677474185463C288ACC13767A33C81 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4156
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F4D3FD047EB139C887B78D3DE04DDE3E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F4D3FD047EB139C887B78D3DE04DDE3E --renderer-client-id=4 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E139FCA536B696CE2AF7BC10B6D2A6D9 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1072
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8FEFA03B7418585F33ADC5549BF4D233 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3828
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA14C776E55FAA790495A333FAA45CE8 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e5dd9530dc3dd7cc7188ed0258d389fe

SHA1
2d36b5eeb044c7f25309b3c1c72c851c3e3de2c1

SHA256
8be56329db19e44bbdd757f1ae3c78b9f298f24763328ac86754dab021891a3b

SHA512
1c0b1307491c5737bd650f328c620713284812d578e17b82f7ad82d5d2c9c7ef626820c50ca1a29eb76ab0344e9911ae8f993f960e0d4c61b102db71ab0257fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
34KB

MD5
02b084aa7198cd562577b65c7568d110

SHA1
d09e731b16ab0f0613ca413c62e41114546defda

SHA256
a3423f4f0182b5d474b7fcdc0d3f875ec7478836f935aae1b077e8c2abace22d

SHA512
7097b3445c001feb719fc9a1603221051b7e0cbbdecd0dcdaf5a06d2b92fedc736d4ccfa7b10bf34a0422038e0f80e7441dea2e273664b329d3ce15afa83e7b7

Download Submit