4727d72ca0cf935a6893277a06c0eafceffb738205fddcd275f2b504e875b2db

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa56f5905aad4dbca538d281f6ad8096.pdf
Size

82KB
MD5

aa56f5905aad4dbca538d281f6ad8096
SHA1

2882ac071ebdce7b5d30a7c8115bdba0b0f0a389
SHA256

4727d72ca0cf935a6893277a06c0eafceffb738205fddcd275f2b504e875b2db
SHA512

db36c97f876a5a55864b0e92f9d9122f68df95af0562bc13713c192eba59ced7830f6e1a95272f61b48598e7e76d6772805237588c03a847fc17306875e0fdff
SSDEEP

1536:9+sUrj7BQzqxnh9p22kw1IZthLA74l6dIcsktdmQ/Igb8JpQNNH:x2jtQuph9LkGIr6o6mc5td/1bQpQD

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4584	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4584	AcroRd32.exe
4584	AcroRd32.exe
4584	AcroRd32.exe
4584	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1072	4584	AcroRd32.exe	94
PID 4584 wrote to memory of 1072	4584	AcroRd32.exe	94
PID 4584 wrote to memory of 1072	4584	AcroRd32.exe	94
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 4232	1072	RdrCEF.exe	95
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96
PID 1072 wrote to memory of 1736	1072	RdrCEF.exe	96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\aa56f5905aad4dbca538d281f6ad8096.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8CB9EE161D4FCFAC3722E9CF76BA0418 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4232
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=330299B42C6D165C6346F47B63B54121 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=330299B42C6D165C6346F47B63B54121 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1736
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B363CA5099BA63F0F44E1C2F86B25C4C --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4992
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5490E69CB2F57C19C0E0C130497986A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5490E69CB2F57C19C0E0C130497986A9 --renderer-client-id=5 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A7E3260EC591E741C052692DD40DD7FF --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4048
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DB44AD621C849EF3E7D4B410F3642F3 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
222ef039b7a2002a44dbeda7959487a8

SHA1
74e1b5646ed21dadce8311f5ccf8ebf2ecb3aa57

SHA256
fa6a1d9962d5c8abd4ee0173318d90c86dfb4e10649c0c2cea613b38b7ca5bdf

SHA512
26dfba6900c02ff3f6e50c49ab363ffa0427dd0e533e3fa8ed9455bf534e182c60d90608d18574ffcbdfd7fc65021529f1228780b288510f213b946ee8498b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4e90599d63bdb312e16576cb894adf1f

SHA1
8dcb46d201f4d95b224d43bd30c3209118f6f0e5

SHA256
abfdf848ab29bdba480a1dbb6530550d0c7949fd2a0066c8818ac29567078878

SHA512
79e2443a02dac92848dfca71835ddd52e9f345faa3747c3780177c5a325c7bc270341dbd43ae12ab0e46b3f702c8209a4ad187e3c0e7079459a8cbacee1334f4

Download Submit