9ac0a50c02feacc8f4c4e3c6b2bac5ac47b83ac64a36cac64d4aca8a417b8367

Analysis

max time kernel
141s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 12:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7232bb3749371fbf4ae86ddcf2128d82.pdf
Size

82KB
MD5

7232bb3749371fbf4ae86ddcf2128d82
SHA1

99aa773b80359fe9bb2c121f17d92da91791c837
SHA256

9ac0a50c02feacc8f4c4e3c6b2bac5ac47b83ac64a36cac64d4aca8a417b8367
SHA512

c3ce51c4db69fae5e9a6dbdbcc9d0531b3d3a3ed19537ec52739d43840302dc2be654138ace883b3c0cb62d0516055fc1898ddf0ef9c99d24c7c9ff7d7d99f55
SSDEEP

1536:YOxaG8Mywpi5s+Da5IKj8OxVVXJgvqcqB/ZZrCOyM9vS4WMy66YoZLWUpO7yDCd:zllZpidDa5rxd87UBZrnSsy69oZe7x

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1328	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe
1328	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4584	1328	AcroRd32.exe	93
PID 1328 wrote to memory of 4584	1328	AcroRd32.exe	93
PID 1328 wrote to memory of 4584	1328	AcroRd32.exe	93
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 1108	4584	RdrCEF.exe	94
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95
PID 4584 wrote to memory of 2140	4584	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7232bb3749371fbf4ae86ddcf2128d82.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BB2EA6B1C53BB7E59CE1DA3DF7B83D3 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1108
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F7CBEA96940FAAFECF528C4B93C1740D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F7CBEA96940FAAFECF528C4B93C1740D --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2140
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4A4CD0F1F06AC627930BAE977BA5D4AE --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D1E39BE5F793AFFA1DD253B22376EA8 --mojo-platform-channel-handle=2484 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3064
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2B34E64FE56B07832F1B1F66071A5B34 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2B34E64FE56B07832F1B1F66071A5B34 --renderer-client-id=6 --mojo-platform-channel-handle=1936 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3471D282C5940E80AF57CBFE387ED80 --mojo-platform-channel-handle=2940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8191abd4a75e8f2190c50c0a99d7d68f

SHA1
01de360face9151ea1f43244a70b77fb53496f18

SHA256
cbe69388201f143b1119ea1221b37470a7c2defa428d902375d1c1fe098f919d

SHA512
0fc98e06997d52ec8cd047b7901828afebd4c9b123396e7fa9cfa9dd3af71388f55e2c6116678e4bc6e84c4a5e7828628cfda9108510659acb3ff01d920655d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
31KB

MD5
9c6c6dda1edebe99f33e52fb0712dc38

SHA1
e76c1c8dd8c6fb0d850804815b0a9cacc1127f10

SHA256
daa7138dcc2fd68893d8343ab1aa3a839b54d30a7fdb55d94f4c59d8456f3e6b

SHA512
be7f43213aa558e764ffff400def62559a99bea922e823ec697d65d404f2c1256c07b948e8c038a970ec9f301c63424d015ad6373733720cbd612591d357115a

Download Submit
memory/1328-26-0x000000000A910000-0x000000000A960000-memory.dmp

Filesize
320KB

Download