e21d58bd08e5380dbac2aa665c0371f126dab74a4420cc949fa1c1a16e860c92

Analysis

max time kernel
143s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22/02/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WekaManual.pdf
Size

6.3MB
MD5

dd5156c586cb27f3e4507f5ad790c555
SHA1

b76820fc9f50dae8c9681decbf66af2888e81689
SHA256

29864bac10d18e6e33c77b4e9e5ea1c2d4fd0abccb6d928817b60b00a4e2da26
SHA512

3eab5e23d151d0d994cb8fb2bc8fb87c99cda8d99515cb3a8f701ba6df237ac398f29db010cca46ce7e540bdd7c9ddb4caaaf894fa55c0072204962441bd6a4e
SSDEEP

98304:AAXpH3Sz5AhP3byUnPm18+fyVQozQVZd2zvIWAIv5x+WAopDY:tXd3qAhPLyP8V3zQVZd2Jv3U

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1996	AcroRd32.exe
1996	AcroRd32.exe
1996	AcroRd32.exe
1996	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 832	1996	AcroRd32.exe	77
PID 1996 wrote to memory of 832	1996	AcroRd32.exe	77
PID 1996 wrote to memory of 832	1996	AcroRd32.exe	77
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 2004	832	RdrCEF.exe	78
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79
PID 832 wrote to memory of 1544	832	RdrCEF.exe	79

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\WekaManual.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=978E4A7FF3FE9382FE260F8F5F20CDAC --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2004
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=981AA78D332FBEF6B8F34F4B89487EBF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=981AA78D332FBEF6B8F34F4B89487EBF --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CE2319D9BC68A353F9E93E30F3F11EA6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CE2319D9BC68A353F9E93E30F3F11EA6 --renderer-client-id=4 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3312
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D125BD0C2DF8F3E1283BBEF39FD3B45D --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:412
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D1813858EB360641549FA4DDADB653F --mojo-platform-channel-handle=1896 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1136
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E2019E48B7D3C4D596C07593C818392E --mojo-platform-channel-handle=2776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c8eadd6469ac4bd2caea1d3543fe1653

SHA1
a89eb07ac14e115d888af65df1673aae210ec06d

SHA256
f4f6f2fab98b172dcccdcf295138b588eb17b03cff758337b89856106ccc92f9

SHA512
ff4758a794813b7209ad26fe83b1fce815673b875641105c9ff0f0adc51394d562a1dc1a963b0145f1bf7488c632ee08e1b8b67664208d77f97adc564ba83246

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
39609e9bf76d98b010c3d75baec747db

SHA1
3cffc66392bfc6563c1d1863b5dbda38a025c526

SHA256
065cadae3523e64286d62cc356d0acf4f5c02dce4d7c1ee04aba92dcc84dbf37

SHA512
2c7776aa7fdea6890bb80c54b1f8f37599d511ec6f42e7baee285574918c5c5a0f7a5dfb00b39effc33613ce7c1d976f34e39c3836c650332735245dbbfca82a

Download Submit