8b35310cfdcb3005ef130f75d38de2aba649ee7779e71cdd75152d9e45ae24c7

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c9ba3ab61635f2781f87473ffedbc591.pdf
Size

104KB
MD5

c9ba3ab61635f2781f87473ffedbc591
SHA1

83824a4d080791dcb1da5d08070445f8289d2ab4
SHA256

8b35310cfdcb3005ef130f75d38de2aba649ee7779e71cdd75152d9e45ae24c7
SHA512

d704d48b68b99c1aa4c1a8478257d62f198ceffd65318e2e9d373bda9498b8125b7be50d7aeadc58a362ee9a9cb0954873621ec97ab3a31b6230e5169d83ecc3
SSDEEP

3072:Rgb5+69X9ijxyCShvWuer0kwsc9T89f5BKqoC1:l69NijxyCShel48RLJ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4416	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4416	AcroRd32.exe
4416	AcroRd32.exe
4416	AcroRd32.exe
4416	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3240	4416	AcroRd32.exe	91
PID 4416 wrote to memory of 3240	4416	AcroRd32.exe	91
PID 4416 wrote to memory of 3240	4416	AcroRd32.exe	91
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 2472	3240	RdrCEF.exe	94
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95
PID 3240 wrote to memory of 3380	3240	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c9ba3ab61635f2781f87473ffedbc591.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E31A12E06527CD74722D3E8A4986954D --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2472
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=37A3BAF58D16B1F7928390312751D016 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=37A3BAF58D16B1F7928390312751D016 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A50148F477B01E1913CB37599C930097 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A50148F477B01E1913CB37599C930097 --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4388
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=081F2AA85AF6F7BAD7FE3D427078B557 --mojo-platform-channel-handle=2544 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B51CEE234315DB8703D7F594028682E --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D5C9D99A8EBBC1EA95924D57240A889 --mojo-platform-channel-handle=2624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4c3a4a2f58de404e5f53c3d32297aa07

SHA1
52e3bfb01472f40587322fac309294354529a2dc

SHA256
9d815ea49fb979f17ec9f035a3e4027a50a535c70f521e1993aba404133546b6

SHA512
4257e46525e700459b29ae3e89a8808c38efe76a77f5ee678d909f467495e35f018dacdca9385fbdac085869787b841496d2de730c37c848494ca0e772b59c8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
cc8e2b857055fdee16225402cd202372

SHA1
277739393d1c7a6b2e0ae73b68856eb0ac2b6783

SHA256
0740dcbe28209bd663debd33375463bbb547f41d0c86addf46dde14e66131915

SHA512
095b38185c34683b36990a3618a81746694a5551deeda9089f4c450d887827bac4d414f50d7da082f81711774d9416199e54d7018078e167ce2b84541f9c5799

Download Submit
memory/4416-31-0x000000000D190000-0x000000000D1B1000-memory.dmp

Filesize
132KB

Download