d97ac071fd637a7d5141b6f77b2234b7a2d30764ae8e3314271a6590d22f2bb0

Analysis

max time kernel
156s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbcffdf5d72f13eba1608c965b0c854d.pdf
Size

80KB
MD5

cbcffdf5d72f13eba1608c965b0c854d
SHA1

b52d64c6c25e9723491612e7256d718bf8475e82
SHA256

d97ac071fd637a7d5141b6f77b2234b7a2d30764ae8e3314271a6590d22f2bb0
SHA512

26da3041651a7dcdbc12a0a66a6cb17bce59ffb318b9ebec6c7919fcb455cd80dcefd7359a395856947edf554e47fe81849a43b4844db3f886be5e8358c9f518
SSDEEP

1536:EpvECVewqZvF2V0d5BjJSkax5Z7WlVzoUW8pOGQhc+KIWHJiZ7+RLBa:uv5PV0d5BjQnx/KTzWG3+K5jo

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2532	2744	AcroRd32.exe	94
PID 2744 wrote to memory of 2532	2744	AcroRd32.exe	94
PID 2744 wrote to memory of 2532	2744	AcroRd32.exe	94
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1152	2532	RdrCEF.exe	97
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98
PID 2532 wrote to memory of 1832	2532	RdrCEF.exe	98

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cbcffdf5d72f13eba1608c965b0c854d.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6EF69FF5BE70E9541652D5D1F42C1784 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6EF69FF5BE70E9541652D5D1F42C1784 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1152
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1566BDCB8EB257CE844C696408514A91 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=96A36CB49FB36273F299A0D40605F684 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4384
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E227C74B8BB0A6FB8587966A1DE0DCF9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E227C74B8BB0A6FB8587966A1DE0DCF9 --renderer-client-id=5 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38B9727A47877F3E27B0A22E5E28A7F8 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4324
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D50A380E0887EBDD8173A96416D0F5F5 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
445cca42c95dc71f16f57d42af77b9b3

SHA1
ac837c90435a9c3c77a9c96abb6ddd54f410bd8a

SHA256
41caec5162b7ddeb239bf01a1d351b58695917250b1ba729ff2f355eac3a0b79

SHA512
0db2764795d52f2ffc3e6025a506734aeef0f831414b77e9f176046579c532e14c34a47300ef79a56c101d6b1f2d6d22aec8eb8fdb063c1858510e8c7cf1b785

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ef8b9b191a927c7942db65cde4f384df

SHA1
b0e04f005e503d5e792a07395d420216823c9e76

SHA256
cf3f623a187514b200d2e6776d646d03aa5211d8e3b0d0e641f578e6ebfc3e44

SHA512
7295afdd435ea749dc59eb9c95480cf0341bf03d6cc15d996155427df777606c4176a5427a193295520e87e1f17e7db2bc33c3094cf991baafd9e808b3f0dbe8

Download Submit
memory/2744-85-0x000000000ADA0000-0x000000000ADC1000-memory.dmp

Filesize
132KB

Download