3bf838f7d0fe12c848783889464c8398a722327367dbf3117278bb32574e5ae8

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf838f7d0fe12c848783889464c8398a722327367dbf3117278bb32574e5ae8.pdf
Size

2.3MB
MD5

016353a2673d694b668b7319bb09e816
SHA1

5b6d8f9775f5746051527901379949fb6c371395
SHA256

3bf838f7d0fe12c848783889464c8398a722327367dbf3117278bb32574e5ae8
SHA512

4963e2ca35ffd330c760874c4cc60e7d21d9a24a26731f52b15f41fd8d18db0eb8c07cc92986fb6a7076cf4d2c11e82ab8ea4ce7e75615a78638ad43d7551228
SSDEEP

49152:oMugUeCBMP7rSK0Oc0dYPnurzVJvjFhrKB4JYM:oMugUeOM/J0Oc0YczDv59J3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2304	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2304	AcroRd32.exe
2304	AcroRd32.exe
2304	AcroRd32.exe
2304	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3636	2304	AcroRd32.exe	96
PID 2304 wrote to memory of 3636	2304	AcroRd32.exe	96
PID 2304 wrote to memory of 3636	2304	AcroRd32.exe	96
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 4660	3636	RdrCEF.exe	98
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99
PID 3636 wrote to memory of 3792	3636	RdrCEF.exe	99

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3bf838f7d0fe12c848783889464c8398a722327367dbf3117278bb32574e5ae8.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5959E64377EFB2AE8C9430CB61208881 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4660
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=18ED09E648D33B1963579A88204B2809 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=18ED09E648D33B1963579A88204B2809 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3792
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B7A119A9D5FD8E18DC43DC4C6C3DE138 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B7A119A9D5FD8E18DC43DC4C6C3DE138 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2076
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=80DD72FA963C32BF15969DE2F7650B6D --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C63E8F87EE60163F77904B4AFED4591 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76296C1B3AED08D64FAA95E6ACFBFD43 --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
577b708b9a717270c6ed95155326875b

SHA1
ebd45dfe9b239aab137a5cb3d92653e297a73d3c

SHA256
e13b141542ad5c0cc15e54051e5513a55ec2ed04a8a22b85bba4fd3837ec6f1e

SHA512
29a4f24ebe5518a4859c4cee87daedc95fafe816a1d5aa96539dfaceafe6229fdfa0b7357992b42ac91a7df443e73cdaaffacbdaebf70846438046a3a8c40c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9cb605ab0102d250caba0cc82c5cf663

SHA1
fd0dd0afe49bd25db3c9692cfae092a80cbbb393

SHA256
5d7f0c653b831c7ce9229f0cff59347279b3e12677d9848e23632ccf0d362c17

SHA512
b4352ec6bae8ef15107a3f361dc18e5ac5610dfbaedd27b2bd11fefc8bfc7bdea87b1048cba0569ba0191222490215d47a75ed136dfa50a3038c68895b922bb2

Download Submit
memory/2304-28-0x00000000098A0000-0x00000000098C1000-memory.dmp

Filesize
132KB

Download