8a7f78bb4b6a925f8a84c180db8f435bc9d14cb60b8d455da77471a5b3ab9e47

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3c1bfa6d6aa709a5983f981a4d91664.pdf
Size

92KB
MD5

c3c1bfa6d6aa709a5983f981a4d91664
SHA1

08c22acff21149257b0431a5de2fdce9015157aa
SHA256

8a7f78bb4b6a925f8a84c180db8f435bc9d14cb60b8d455da77471a5b3ab9e47
SHA512

52be7dba600e4d084e0721a6ca28d2912e43e64b7a1f282b3f6dfa5e53f7801bd25013c0a4ed57ca0e6017085ab2e9e7f6f9419459e8a329bdbeb74f105cc085
SSDEEP

1536:+/8PdPfFuoJvG2NLAKLxe7vckISqHObXWWGpOKCWbOqBUuGP9YEDmnQn:rPdPnG2RAKL6viObX/K5OaGP9mY

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2712	AcroRd32.exe
2712	AcroRd32.exe
2712	AcroRd32.exe
2712	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4652	2712	AcroRd32.exe	95
PID 2712 wrote to memory of 4652	2712	AcroRd32.exe	95
PID 2712 wrote to memory of 4652	2712	AcroRd32.exe	95
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4712	4652	RdrCEF.exe	98
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99
PID 4652 wrote to memory of 4616	4652	RdrCEF.exe	99

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c3c1bfa6d6aa709a5983f981a4d91664.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF58FF2853A128EDFE88235C5D769D42 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4712
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3C42A256987FC9B9E4564F87E77A0623 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3C42A256987FC9B9E4564F87E77A0623 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6DDC905A67E48BC5A892C40E4BD82EB6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6DDC905A67E48BC5A892C40E4BD82EB6 --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B520B13E98460ABD8C9D9EB25077B97C --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4884
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D26BCB6AB117EEF78442A535825346E --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=547EAC3A4E74A74C40C97C3DC9846002 --mojo-platform-channel-handle=1872 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1140
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d4cc58856c39f7bad4d25ca8adfd9a43

SHA1
86697fc4c0dd42b9a43de88bc72d47dfa0163fa5

SHA256
9902e949fa7798fce196e715a09429b9bd0c98ddfd8319cc37b2dcdd763f0e8f

SHA512
d0de79149f60a4219d9cd3eabdea1196f33d3412947cf68b96cac3096f60dd45d8ddd4452129d4052ed768dcb7477bb38224c4be37ff976641f42f04fd45761c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7853431def624e7e8687145a47f778d0

SHA1
31dbac4829f5c6f5c40f85411f755ac9f986182e

SHA256
078e9e679712b5fe5c130b60c4aece1c4ba3d89a38f8052ea6cfb15afc8d907d

SHA512
c34ee4f63d62658c38d29b866c50d96cd49434de966b89cccb1da7d58d5541281707e6440e5b57be3ae8f973a47c41d308402b584e239a8dd8cdd4f973e6f7af

Download Submit
memory/2712-22-0x000000000B410000-0x000000000B6BB000-memory.dmp

Filesize
2.7MB

Download