6abe0fd040f29884dbd5c56d391b1364b7aa2171797ee8b681bc1aa729a0b7f3

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe49a253ffe98f34c2b5ff47ec06b40.pdf
Size

105KB
MD5

cbe49a253ffe98f34c2b5ff47ec06b40
SHA1

2d96c2650ebc5f50879774ab640e0bbff0ca0cb1
SHA256

6abe0fd040f29884dbd5c56d391b1364b7aa2171797ee8b681bc1aa729a0b7f3
SHA512

90a7fcc10c2aea4841519c2718fcf824861297b810385249abe49d5f2e1d30d011f67982128ee639c91c957ba14893f4273c4a6e8de08d5e13c6c81f0a8ea906
SSDEEP

3072:SW0IDnAx2nJeTT5kMzpHNXdQHRmuyaEkN1b:SWWwnW2UZdQLl11b

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2216	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2216	AcroRd32.exe
2216	AcroRd32.exe
2216	AcroRd32.exe
2216	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1760	2216	AcroRd32.exe	95
PID 2216 wrote to memory of 1760	2216	AcroRd32.exe	95
PID 2216 wrote to memory of 1760	2216	AcroRd32.exe	95
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 3628	1760	RdrCEF.exe	98
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99
PID 1760 wrote to memory of 1700	1760	RdrCEF.exe	99

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cbe49a253ffe98f34c2b5ff47ec06b40.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A1F3BD755E8EB05E960BF5F76448093 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3628
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A6448E906DCA658BE5686BBC29F9FFDA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A6448E906DCA658BE5686BBC29F9FFDA --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1700
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A441D5B2D1F7AA6FE97EBE59569E8087 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A441D5B2D1F7AA6FE97EBE59569E8087 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=179613734374961643099C452A5D9C86 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1028
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FB239C9CADA7186BE57C0C3A93652B7 --mojo-platform-channel-handle=2580 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F691501ACC9626FDF818F61EDC597C1 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
55fb541e49532025bdece54358d3ced4

SHA1
8b634bd4021bc01ebc610af158cedd960cdf345d

SHA256
8377e230d32040a806dbcf4db9a1bfdf5e57eff14bd6f4295629b58b62486bfe

SHA512
39caa18c3f769c269a7c1b11873616701a634c9b730ff55be012db30694ea55cf3fe21d661b026334245cbf8ffd873b5cfeb3ff4cc18a7841d8c565639179bf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8cfe51583e3e666213b8dd12d4a6e94a

SHA1
6b57889f58d9b9083aa9014c450acabde2f4eef6

SHA256
94ac4b557e116248473f1cbaa7b02c22e39f4abc7ec9f00a22f126fea011c112

SHA512
bb8ea0fdf6d231fb0e10c70dd6cbd591a1c28db3f1067ac41f00dc261217d5cb3747a26fd1324ecac0a0513bc6323a28d403006361e68284687de7db113b66fe

Download Submit