998cda49636d5a9dc486ee9034cecd50e44dfea182d9a12b676987fb92027e4b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b761d09f79568c912de727a06a329359.pdf
Size

78KB
MD5

b761d09f79568c912de727a06a329359
SHA1

11d89a1d65f528fd753947d4f812629e8b76789b
SHA256

998cda49636d5a9dc486ee9034cecd50e44dfea182d9a12b676987fb92027e4b
SHA512

3da81d502cfaab4af6be3468bd5a78eb4bf64c17268894a634c70b25ba5a8938e859bf775b0fb1d3193bc63fe579296464b4f13554a76803712a495836379891
SSDEEP

1536:HKE0gmrA0lKIFqkhl4Wme/NNwpRxF4R7i5bXJfl1o/J/N0WWpOxUWJG8enjf6TZh:h0jrA0VFqkyxs7qxi9SVsbxxdmyj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1840	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1840	AcroRd32.exe
1840	AcroRd32.exe
1840	AcroRd32.exe
1840	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 448	1840	AcroRd32.exe	97
PID 1840 wrote to memory of 448	1840	AcroRd32.exe	97
PID 1840 wrote to memory of 448	1840	AcroRd32.exe	97
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4044	448	RdrCEF.exe	99
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100
PID 448 wrote to memory of 4024	448	RdrCEF.exe	100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b761d09f79568c912de727a06a329359.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4456C39F875976E0413BC8799A1DD2DC --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D0AC8038FC8919D2586E4FE11BE204E9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D0AC8038FC8919D2586E4FE11BE204E9 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DEB29B0C76DE1259DFD15B9C23E25909 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4860
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B5CB1259CF4B6E9D059E13A20D517F06 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B5CB1259CF4B6E9D059E13A20D517F06 --renderer-client-id=5 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B07DCCA0633974E5DA2F12D40BD2163D --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2512
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95BB3E09F3FEED95D4095CF63C4B9C7D --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
51a18b66df9ebf964ebcb410585f53b6

SHA1
8c1b75a347028fa75e8aed7901b2a5e6e1e052ad

SHA256
e2e333b1a92fff9978b630d44337c6daa3ea92b20bf3fa72320b231f377fe6d5

SHA512
9874e3fdf5196871ea6ea441e5d7808c3902f279a337147fe034e88f76b68dd1c65c231a5077d870c0b6fe2083c3cc8ffd1c2bf27989f2972354ebd439a33e3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
323754002ba927681fcd31fb9b0df4a8

SHA1
f00dd1b7a7bd36f8836ba8f7d407cf21a1a68ade

SHA256
7b2705a06e81eef495152f44a322ed1b4ec805953e76a939c8b201e02a75ad68

SHA512
d3147583323266104207d8c4fcd9037e71d1823602c5aa22e133108b47a0f67336e194663f9bbaa95611bfcd2e95b376a72312c6d6fec05e4ff74c2081e70209

Download Submit
memory/1840-28-0x000000000B8B0000-0x000000000BB5B000-memory.dmp

Filesize
2.7MB

Download
memory/1840-29-0x000000000B8B0000-0x000000000B900000-memory.dmp

Filesize
320KB

Download
memory/1840-31-0x000000000A120000-0x000000000A141000-memory.dmp

Filesize
132KB

Download