91e2e09640a3ad87cd72d2625584b98e03643ad16effe605b4a99cb34b97df1a

Analysis

max time kernel
157s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91e2e09640a3ad87cd72d2625584b98e03643ad16effe605b4a99cb34b97df1a.pdf
Size

324KB
MD5

9bac0630178d39ceeeecd732df3c9a28
SHA1

6328f241e45da1fbaba3cd4a5e819e8dab05cd7e
SHA256

91e2e09640a3ad87cd72d2625584b98e03643ad16effe605b4a99cb34b97df1a
SHA512

b836363604fdf9e5db4c6e0c66493caa045bb04ff856762450da45ebba8cdc55c7586acae2e85d0436aea6bdcffe52636702489618df55e0f247cd5f1fa55715
SSDEEP

6144:G8T1jZMtZ4ja1vk1DwAE3SIJy/l8k7Li9gjNMuZ:Gs0D4W1LiI68Ee9Yd

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
464	AcroRd32.exe
464	AcroRd32.exe
464	AcroRd32.exe
464	AcroRd32.exe
464	AcroRd32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 4256	464	AcroRd32.exe	112
PID 464 wrote to memory of 4256	464	AcroRd32.exe	112
PID 464 wrote to memory of 4256	464	AcroRd32.exe	112
PID 464 wrote to memory of 2684	464	AcroRd32.exe	113
PID 464 wrote to memory of 2684	464	AcroRd32.exe	113
PID 464 wrote to memory of 2684	464	AcroRd32.exe	113
PID 464 wrote to memory of 1072	464	AcroRd32.exe	114
PID 464 wrote to memory of 1072	464	AcroRd32.exe	114
PID 464 wrote to memory of 1072	464	AcroRd32.exe	114
PID 2684 wrote to memory of 4960	2684	AdobeCollabSync.exe	118
PID 2684 wrote to memory of 4960	2684	AdobeCollabSync.exe	118
PID 2684 wrote to memory of 4960	2684	AdobeCollabSync.exe	118
PID 4256 wrote to memory of 4324	4256	AdobeCollabSync.exe	119
PID 4256 wrote to memory of 4324	4256	AdobeCollabSync.exe	119
PID 4256 wrote to memory of 4324	4256	AdobeCollabSync.exe	119
PID 1072 wrote to memory of 3920	1072	AdobeCollabSync.exe	120
PID 1072 wrote to memory of 3920	1072	AdobeCollabSync.exe	120
PID 1072 wrote to memory of 3920	1072	AdobeCollabSync.exe	120

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\91e2e09640a3ad87cd72d2625584b98e03643ad16effe605b4a99cb34b97df1a.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4256
    3⤵
    PID:4324
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=2684
    3⤵
    PID:4960
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=1072
    3⤵
    PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads