dd6b89aebe5b5ea6f6ae3608175c02ae54aa2030235be893a65a4050367742fb

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe8febbeee6ccb2d9e54d8d9d14f873.pdf
Size

86KB
MD5

abe8febbeee6ccb2d9e54d8d9d14f873
SHA1

c6c12250bbefd3549fe6fb70199b8d98c23e71de
SHA256

dd6b89aebe5b5ea6f6ae3608175c02ae54aa2030235be893a65a4050367742fb
SHA512

3951cb5ec67cb0de7d032449c3408c8b6c425ec7699960a6985f9fec52ae2fa0e231a1f1e73bf8b1c5bf0cfecbd661a9158bc6cc7dc2a16b7c53d4aa04015c92
SSDEEP

1536:3z9KGp54L52sT/4Pyjh1FhjmkBadzZta0Uzv9xQAiKyaFHJ02JW5oOslz:DsGps52sj4q3Fh1AZtjAiraFHJhgW

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2572	AcroRd32.exe
2572	AcroRd32.exe
2572	AcroRd32.exe
2572	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 4052	2572	AcroRd32.exe	91
PID 2572 wrote to memory of 4052	2572	AcroRd32.exe	91
PID 2572 wrote to memory of 4052	2572	AcroRd32.exe	91
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2200	4052	RdrCEF.exe	92
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93
PID 4052 wrote to memory of 2644	4052	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\abe8febbeee6ccb2d9e54d8d9d14f873.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BFC51C390B2ACC98B7735F7D072A2EFF --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2200
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AB385BF3D112045FF4AC885DAAD45428 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AB385BF3D112045FF4AC885DAAD45428 --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B61C888DD360426A7D8BF0B4E6505C94 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B61C888DD360426A7D8BF0B4E6505C94 --renderer-client-id=4 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F692F978C81DC42B03DAB7A83DE7828B --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3316
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46FC43FE127219EF270F71369C256043 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4920
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1358A36C98E3BA45AD19BF00929D314A --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ffadb081a31ff8f449146a5c6004ef21

SHA1
ba58168c45c9a191a1011814a6c94728850010d8

SHA256
3d3c09e15e612f83568d515484713c81e9276c7d31bb6c6e7be8623df1725ee2

SHA512
7414bc2fc8d6811fd0c08ffcde9707e7c5601d36d8ab89e16c5e8483c92f3e8fb117fbca02fd5549026fd310ba3f084a0f9895ab6089ccc8d125971ab17e03c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ca78eeb1fe707db16be3c7b277fca451

SHA1
5d8a80734d8a48f6ee8a3c18952776ed64b23651

SHA256
d856e632a675f430553de921504bbb6f5aa8fa0ab8dbb855d3a4ca714faf95a5

SHA512
98987a8c6f3a6c35e41d840ef22bdc6251b0c516c07490497f56f10e09331716a0fd3a5a15fd2339ab2c86245dcf5206711f591fa2345eddb9f9c4c5e184d5a3

Download Submit
memory/2572-30-0x000000000C030000-0x000000000C051000-memory.dmp

Filesize
132KB

Download