2b6dfbe7c726bb4895eabf410110021e201a256dc961af885cc33da166e4c9b9

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 05:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab11eedf48554f8bd8a4b0b21290a32a.pdf
Size

81KB
MD5

ab11eedf48554f8bd8a4b0b21290a32a
SHA1

6a16e9dce8fd3063762dfbb9b22727a0e9f6bb80
SHA256

2b6dfbe7c726bb4895eabf410110021e201a256dc961af885cc33da166e4c9b9
SHA512

a5671f78ef711e702bc9ad7b514523be16cfca21dc65a6a70a8601a145ddc6a38c45061ab9ec2245b5d0b262dd00e2ee564b293d938a4aac5fa05346f6067d0c
SSDEEP

1536:lFbXl10T1Le46Xs+dv4Rbxj3glxIJBa3G423u7mxokqDp2Lm1jvp8o:bX0ThXuddibC4g3G93u7mxoALm1T1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3312	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3312	AcroRd32.exe
3312	AcroRd32.exe
3312	AcroRd32.exe
3312	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 1548	3312	AcroRd32.exe	92
PID 3312 wrote to memory of 1548	3312	AcroRd32.exe	92
PID 3312 wrote to memory of 1548	3312	AcroRd32.exe	92
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 2400	1548	RdrCEF.exe	93
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94
PID 1548 wrote to memory of 4868	1548	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ab11eedf48554f8bd8a4b0b21290a32a.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=69766F6396C936BA6725244D97180746 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2400
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=28655362AC28CB5A7C5A443B94A9AB54 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=28655362AC28CB5A7C5A443B94A9AB54 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4868
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AFA955ADBFC908312F1D9479D14617ED --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6C0C390A98C936862126A35CFAF8F7B0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6C0C390A98C936862126A35CFAF8F7B0 --renderer-client-id=5 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:752
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9FF4A7E057B73299030C1BD1ADCF3DA --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1828
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=377A784EF1174570A877BDA4A7AB9834 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
50c29d123cb80126ca864d47475410d8

SHA1
4d8562648c2535bc689d174329677a3dea10b9a3

SHA256
fe47c9e5a3a57369d4414c801914b052b141ce64105dab88e2a6778e0677a457

SHA512
6120e9b07adc5fc147bfe9033d3e1dc066f20ba1616e3eee65c6a1a096d4c46f7a1d941151743881e703157d862207f25f38cfd46f81ae12d985ba9bee8d24b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
3b58ce1eb64681aa6a552ff266223ec6

SHA1
59143db564aa7bc7e1d5a425fd45de3dc2d6afa2

SHA256
1a5276f0328b712e55bdff36376ea241cf1a55c30cea597e1826c906ed30945b

SHA512
12521ce47404182fcdf123e5626d50a96b5f2611d2812ca385f5e106be697ac17e5797b003ec9a2a62156ca29969aa828bf583ead9ee4d170673c0fea3058e27

Download Submit
memory/3312-31-0x000000000B6E0000-0x000000000B701000-memory.dmp

Filesize
132KB

Download