5a6a2261b97dba4dedaa06ecea27e5dd46d0cfe4709c8dd7980ad339f020b499

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2a77921cc250b2c7af1e5b1e6fb894.pdf
Size

94KB
MD5

bc2a77921cc250b2c7af1e5b1e6fb894
SHA1

bc052272f2a4e7ef292f1791f78447c930f19306
SHA256

5a6a2261b97dba4dedaa06ecea27e5dd46d0cfe4709c8dd7980ad339f020b499
SHA512

de7ce2383327a924d8dd6d31d3701ba250eb54c995b9a1df78e212f8d0975c742b78d80bce86a59a7db55f45b78bfa5c37685456d6eeb4340da8f741c74ff5cf
SSDEEP

1536:YMgI3qhYJdVnenFMfVzwVmi6twuXMJAWemWCfJuEu+pQZjOKHbWQpOCkc1:4I3aYNn6WZwVmFwutr+aR7HGCT

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
844	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
844	AcroRd32.exe
844	AcroRd32.exe
844	AcroRd32.exe
844	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3244	844	AcroRd32.exe	95
PID 844 wrote to memory of 3244	844	AcroRd32.exe	95
PID 844 wrote to memory of 3244	844	AcroRd32.exe	95
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 2268	3244	RdrCEF.exe	98
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99
PID 3244 wrote to memory of 4648	3244	RdrCEF.exe	99

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bc2a77921cc250b2c7af1e5b1e6fb894.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=21637E2A479419A01158ADC770330C28 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=21637E2A479419A01158ADC770330C28 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C578A5E4C28F9DB1D17F871570D77A36 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4648
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C2CDD1A7F3123CC6F04EF25D97D19ECA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C2CDD1A7F3123CC6F04EF25D97D19ECA --renderer-client-id=4 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2160
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E307C587525C87FDA9DA21C02109C505 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1736
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D433D0D38150E5AF59AA95A586E22B13 --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=42ADE147146A73984C6EA0680A1CCCD1 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
93a86e0cf1dfd653883bf8586d829c9b

SHA1
d951ebb76d1e7cb3a15bd69cb6f1f5d4e4cb6850

SHA256
6373e599a181ebd08235af02648dc1bc757ea9ea01d55218316597e1d6c5a0c2

SHA512
5e86e92aa815c3d5b88ecc307f7bd9bb60474e979b8ae0d92cc749944d39797ef9277bd12f5d95dad04e28f89f14d4f25c4a1c8d9fb68f9ad5dd4693f07d69b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0bb48d374adb8d75094613f143efdc84

SHA1
82ca0bd7d6370e9295c3bdd3603d292d77aea188

SHA256
5ddbc69d1997a050ff7b0d12c817ca2ed1c9ed44ee04afb3bfa2bf0f746cdbcd

SHA512
15beb158e71f879b718a3d1e3289b1fe4a72f7701b1eede9e4e8c954aee0aae5ef421b713fea11b441291a6348372f49a384344e87ede045794cfd1874c8ec78

Download Submit
memory/844-31-0x000000000C230000-0x000000000C251000-memory.dmp

Filesize
132KB

Download