1d0ce4396c85eac0180f2568dc8419cf7fb6abeb4ebf6f41cc28d952ea64fa6d

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edirectory/Docs/eDirectory_Users_Manual_v5.pdf
Size

4.9MB
MD5

a158779a2a2fcd33cf169382f8dc02bf
SHA1

1fad792527f91efd13903bebc9e4d00ed57bc18f
SHA256

204c472b897de2f7985199cc9f312e419e1696a10a746aac868b112c8aca7925
SHA512

39dec57d7b20f6943be78e0d9734f0074061701a18527e01bf57192eb390aaddbb34d4f1d29f22da8bedc350b1ce01c39bb63cde4a60b43c8358728fa48eabd7
SSDEEP

98304:WD5hmdDDDvjymbh8X2GJbNriJ6NY7DHzgU:WfMjy8K5JpiJ6NYnH/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2332	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2332	AcroRd32.exe
2332	AcroRd32.exe
2332	AcroRd32.exe
2332	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2100	2332	AcroRd32.exe	91
PID 2332 wrote to memory of 2100	2332	AcroRd32.exe	91
PID 2332 wrote to memory of 2100	2332	AcroRd32.exe	91
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 1284	2100	RdrCEF.exe	92
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93
PID 2100 wrote to memory of 784	2100	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\edirectory\Docs\eDirectory_Users_Manual_v5.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EDA6B41FF21950A2338CA67B58F831DB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EDA6B41FF21950A2338CA67B58F831DB --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1284
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=988F425B1D85FE06F53AD6CFF5128F4A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:784
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=83BAC4FA726793CA70D62B678775EBAB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=83BAC4FA726793CA70D62B678775EBAB --renderer-client-id=4 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16DC1B2D406508EE84CE299C185E291C --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3312
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=69FF7FE985FDDE0B4B2D9405AFC89F04 --mojo-platform-channel-handle=2112 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2868
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BEBB50239B07BFBD010A976F6CDE7E5 --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c12c748a54f7d00f88d4c68431b9e4ab

SHA1
0811d602adbaa430faef01fbbf37021b36152518

SHA256
8ae4b8acfdf76abe771468879fe60212738153dcd6e82da308e3e8961ff20c6f

SHA512
113ca59aa791e7bd25e1ca14ade2407c814fe6b42276eb16d61c1e98fca9f77c45c04c8da06aa39f8fa4a0b990e95e88355dc91db364b778ca7cf6af6b5bee03

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8bd97f7e496c8cef8b2542d409d1eb8e

SHA1
608cb33cd5bfd6b32d119b6d22bf1028016dbdc9

SHA256
4f96a18515a11d8704e16e58e902ebc82f29436c3ba706cc3e8dfb8039f5b40a

SHA512
c70275e1533cdf56d732e7819b78b5c46c362e820d9686181b8cf01b9299efb7ebfb9cd63a7291083dd49bc0b0dae3849ae403395e1db5269f6eba7510e9bb67

Download Submit