1e5085f5a0e3b021abb4a003d524c4f75765f8148cc480185a69b3cd19dd38ce

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4180d26fd3ecddcc79300127247caec3.pdf
Size

32KB
MD5

4180d26fd3ecddcc79300127247caec3
SHA1

6b3bb704f68d6e75e87863e6041915daa54f2d24
SHA256

1e5085f5a0e3b021abb4a003d524c4f75765f8148cc480185a69b3cd19dd38ce
SHA512

bb9b3bfc8a7127570f1f1c5fc513304acf2827a99911ab218f503d86af993d5bbee55ecd6a8394ee2b8b2b81fd921a74eb377685da79bd88a838d79de71b1ee0
SSDEEP

768:i1Kc59EZ0PDfrsJgytvyciO3d7Q/vdF7MOvllVoeJ3ru9k:8hrylbio76F7MOt5B8k

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe
2916	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3756	2916	AcroRd32.exe	90
PID 2916 wrote to memory of 3756	2916	AcroRd32.exe	90
PID 2916 wrote to memory of 3756	2916	AcroRd32.exe	90
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 4804	3756	RdrCEF.exe	92
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91
PID 3756 wrote to memory of 2512	3756	RdrCEF.exe	91

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4180d26fd3ecddcc79300127247caec3.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D32F30ED45D08C869C848D9F84F06B94 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D32F30ED45D08C869C848D9F84F06B94 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2512
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A80DFD74E89BD365467BEA74EF4B1369 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=442A154926AF98ADCAA1B07E5D03399E --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1343D1B46C88359A6229DF199A40CA58 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1CAE7812AFBDB54DAF21861FE3D2453D --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4316
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DDFBA270228B24BE98E8D13B304329A2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DDFBA270228B24BE98E8D13B304329A2 --renderer-client-id=7 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
43KB

MD5
ce4937286aab50490b1cfa64a7cf20da

SHA1
756749d40a0bf7db9b193b715e67fef091de1e76

SHA256
0cd00688599bf42ee5a6f3d258af0e65ad0c08fb42cb620c998d773027d4270f

SHA512
7ffb9ee04c1ec0e79f339070fd827d0ba586f995b2d1094faac32be31b451cb008ac3ffe4fe2b69151fe562057a6808c00341949e4aa5c7980c24d41ca280aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
17KB

MD5
ea601217b02524d366169a0605cca388

SHA1
966cdc5dfa2edf410a2844ba4309b1b970291777

SHA256
0e7ec38bd5be29353c8597964e3c9179b6c5ea43c99190e03ac82cff38b06872

SHA512
f876834db1767f2f5a470e6125e8727189c41263a0d57fde2ca35bccda7f22a2a25fbd8383fbc6ce7dde7c1a4af3ed8ad8c888bfe4a7e30c9f1bfcc9a5c4ba8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
4KB

MD5
2b8e2f30a654c39c74282e47a10d7a11

SHA1
08d31d0493eb9051a188bbf44d90988559de1448

SHA256
c3e7cb1a4ff982c850b9aacb03511575f03702af566f6aac5b46262172a2a3f5

SHA512
dd6a829d20cd7e9fe1c369ccc09c6d37f654f19b1b267c899f946baf11ff53dad96b0e0007d84ce56609c7ea35af5c4e39316eaa5372d9425c8cd0de45ea6e03

Download Submit
memory/2916-27-0x0000000009A00000-0x0000000009A21000-memory.dmp

Filesize
132KB

Download