7139b788e54b9658af42b514894935d01ca9f4f019e12b3e118092d0f9e876b5

Analysis

max time kernel
148s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c331289d2bb4356e0bc5f8f87a2f1feb.pdf
Size

13KB
MD5

c331289d2bb4356e0bc5f8f87a2f1feb
SHA1

db2e6f573a2d07f1fed9af04f376db4d5f3c7182
SHA256

7139b788e54b9658af42b514894935d01ca9f4f019e12b3e118092d0f9e876b5
SHA512

a53f4b45372c91b9f2fddf9809d4c058ce63b1ba597835c6991da1e9081f788843d571a0fbd8ccefa5c8bdbd1171e6dc38fac88fdd8cc6163ef382ff146a01ce
SSDEEP

384:DLEMMLEtysyPSSp3UG3sY4Ne7ldmyUG3sY4Ne7rl98pRPFOF++:Dg/gISSp35se7ld5se7D3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3056	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe
3056	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1336	3056	AcroRd32.exe	98
PID 3056 wrote to memory of 1336	3056	AcroRd32.exe	98
PID 3056 wrote to memory of 1336	3056	AcroRd32.exe	98
PID 3056 wrote to memory of 3560	3056	AcroRd32.exe	100
PID 3056 wrote to memory of 3560	3056	AcroRd32.exe	100
PID 3056 wrote to memory of 3560	3056	AcroRd32.exe	100
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3356	1336	RdrCEF.exe	101
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102
PID 1336 wrote to memory of 3336	1336	RdrCEF.exe	102

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c331289d2bb4356e0bc5f8f87a2f1feb.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2CDABA09EF828BA20C3CFBA351EABAC2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=826C2A4293765526A8990E1A9356206D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=826C2A4293765526A8990E1A9356206D --renderer-client-id=2 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C95CBF3CDE7B796D209B3C8CF6DDE107 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C95CBF3CDE7B796D209B3C8CF6DDE107 --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:924
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD7570FAC1F05BBCEAF3057FFCDFDF00 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2580
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A727EF00AB19B0833FD8E04688189D1E --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2148
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B49879CEDFD8DBE1D1201D9F62CE4453 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1624
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
500c3cdde835b3a701733f0cee5859e5

SHA1
168bb73ec4ad0942a39abd27f4f5cfdb474692df

SHA256
69073b3b9e28c2c95e5a16fbe0e6a345e5b0f7df46666407ac0d13f9ce094066

SHA512
da22a022b04f5fb2553c8e9ab011718d68819a0ef2fadc2563c6be6249cf62c34a1240eb0773e39c9ae1a248c91e547ceba01ab87969a521c479d2df94ffbe69

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f70405c28df3936c733a1bbd52b6f577

SHA1
d582eb4b527fb9e06a8ebb8c90d3c3fec8e7acc4

SHA256
84ec294a2a7704c73caa78875e57a8c9dee53bc454e90c0cb1c64d863dceccda

SHA512
96fbe99522e589a0d02e55c5893bbe9a402f9b69f7a8f7c88e8c20bcdddb043ca032ee9dded4ea203ba69df8074e63afab082e8463d2d8cb97cda86309279c99

Download Submit