44103f6dd93588cf61c2deffcd90afb31318b7c8f0c768e606c5a22cc5af8552

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c134230b3bb1025d19d1718c5985a09e.pdf
Size

163KB
MD5

c134230b3bb1025d19d1718c5985a09e
SHA1

8c7600daa927a1750a9cddc122bf215b8b72164f
SHA256

44103f6dd93588cf61c2deffcd90afb31318b7c8f0c768e606c5a22cc5af8552
SHA512

d4955b198291925388005ac4230f42e6a7caea6cde7137562bd1e32d1dc7779f029a6fcbd5104beab7b3bf434982dedf1dabf663714250fe26cdca8251dd159f
SSDEEP

3072:zPHvwlDDzCPz+ES9TyDj6E8VFj+RXyxuOot99JF5Fdbwj6R3H8s6/VwrwbJ+T:D4YT6TyHgf+gAOot99JF5Fmext6Z6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2164	AcroRd32.exe
2164	AcroRd32.exe
2164	AcroRd32.exe
2164	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4688	2164	AcroRd32.exe	90
PID 2164 wrote to memory of 4688	2164	AcroRd32.exe	90
PID 2164 wrote to memory of 4688	2164	AcroRd32.exe	90
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 2308	4688	RdrCEF.exe	91
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92
PID 4688 wrote to memory of 3132	4688	RdrCEF.exe	92

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c134230b3bb1025d19d1718c5985a09e.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BF78CDC68E40F53EF236D64AF78C1944 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BF78CDC68E40F53EF236D64AF78C1944 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=81E3FE68242E2E587FA56F90CE9F0205 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=918C1D964219C3D979BFC8119EDF99D0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=918C1D964219C3D979BFC8119EDF99D0 --renderer-client-id=4 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BDCE2E0911B10252699C3865AEBDD09C --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D978D80904D07EA5C369765EA634E74 --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4660
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=857D257BF0AFC3D9B8A0144A4704D7D6 --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2ca4cdd3764bc424ce2d4ff75df1faa8

SHA1
72e8fc8bfead29495fbe87267da586cadcaf2868

SHA256
d220e705ff772f856628c96db2f155b169bae0f86ab5872f58dd192f828e0b3d

SHA512
12f76cd8e6fc9388649f9b21172d779b3b351368679aa0abec231b6cf1cb07cf5278d902042baed2c7aee6586e34310a6a8f5818529460e13e2a6cf9d3daeb6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fda79b0629025fb1875b536442a1c503

SHA1
82b6bedf524440c142574cf82e4c87daf28ef4bc

SHA256
8800357837f9ddc06d3483d180281a174f4b42d125fca705486268610f012e95

SHA512
07a505bb41dbaff71734bbf7257f563949a26e80e77a9d83a9f4fda3a9e0c34280525b366db3e74dc4328a47e397be6e2dde3eb3b1e70ae2ca3b0d1014166cad

Download Submit