5e33d5f28c124b1757603450acc5b0b95d8f503eb280ac4a6c35ef2f5e15a08e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ee7fd9d2b60d83b19bd859b3358b50.pdf
Size

34KB
MD5

c0ee7fd9d2b60d83b19bd859b3358b50
SHA1

b923d84c3eff204086d97280ee530bae71e6658f
SHA256

5e33d5f28c124b1757603450acc5b0b95d8f503eb280ac4a6c35ef2f5e15a08e
SHA512

63b671f71812e42e746b58b236aa92d629d5dc4e4daae404fb4affc512728562d46dd2dba5bfe1a8ebd3414039f4e996ce7ca16d72b75d96b24be8c571d6acd8
SSDEEP

768:wrPkFj58Lz26P9t3ezhxcrvzrzSsA+gus5qoQsBNtF/amrtpahQhZ2+uHe:SCgg4O/FSmrtplVuHe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3524	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3524	AcroRd32.exe
3524	AcroRd32.exe
3524	AcroRd32.exe
3524	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1868	3524	AcroRd32.exe	93
PID 3524 wrote to memory of 1868	3524	AcroRd32.exe	93
PID 3524 wrote to memory of 1868	3524	AcroRd32.exe	93
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 3776	1868	RdrCEF.exe	96
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97
PID 1868 wrote to memory of 1836	1868	RdrCEF.exe	97

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c0ee7fd9d2b60d83b19bd859b3358b50.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8A6BFCF082CB26FB55B4E7606463430 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=487D4A77AF1119316F3D8774BA195995 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=487D4A77AF1119316F3D8774BA195995 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C91942CCFD6E889EFFC33FA00526B402 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4692
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=714CD52315FE9051BB2F2CD5D3AABCD0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=714CD52315FE9051BB2F2CD5D3AABCD0 --renderer-client-id=5 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C33A855FA397C6FBAF6FD1EDCFD53B9 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1852
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0791FCFE0F912CA11B1E955C99FEB975 --mojo-platform-channel-handle=2760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5fdf3f796ac9cfbd562141118d545cc3

SHA1
b1fde0a0afc1029007e625acbf0c01f1885f53c8

SHA256
fd4a8f9586524717c115aac16180bac5e2e6f13a03b7288ff7543e33e72c7df2

SHA512
5f733cc45ecb10f567912ca35be75af993d052f465a4350136e67e1ed9dc04bebea4507568d5be12bf674a02b320ec58dd318b89c2dfc04cb6c2aadaa1b70b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a838189541443a764ebcb80959009172

SHA1
802df47e3509a96a58c9f75fe8d26eb995f29c4f

SHA256
3289bef364b32e1fa0b267e8faa3ab643ad8dd1c0e609e6febaaff733a20977f

SHA512
55b6dfe1cfb051a547b81be749ab099891a6d3ca2ac7f2b98422bcbafd9b33ad4f93931c45e7f2e014d4abc9c8d60a8a0b48901f886c858d0b91b8d2746688f3

Download Submit
memory/3524-31-0x0000000009BF0000-0x0000000009C11000-memory.dmp

Filesize
132KB

Download