5c56b02bf5d75ad26783787e859c3c9e0fbdd9dc06960a2e30e526ea694694e4

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd908a1b21031a069cabfcc4fb2f90a2.pdf
Size

100KB
MD5

cd908a1b21031a069cabfcc4fb2f90a2
SHA1

67e0fa60c6b0a2aca159b15749cb069e6849986a
SHA256

5c56b02bf5d75ad26783787e859c3c9e0fbdd9dc06960a2e30e526ea694694e4
SHA512

374b4f6ff64b66e96ec5a473b1ab3e78f96db39be00fe25ea058773c73f26826e9dc318387af3088b81d5dbd5b0a0fe542a3e224dc9626813d9991968d81f9a2
SSDEEP

384:B3kjOZaPFZ0po04+20qqf5MdCoz0tv0Ri2SYD8w+0rC+CTR5n700k9p0oiXZqOT6:mH

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3720	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4648	3720	AcroRd32.exe	99
PID 3720 wrote to memory of 4648	3720	AcroRd32.exe	99
PID 3720 wrote to memory of 4648	3720	AcroRd32.exe	99
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 3508	4648	RdrCEF.exe	100
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101
PID 4648 wrote to memory of 1804	4648	RdrCEF.exe	101

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cd908a1b21031a069cabfcc4fb2f90a2.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4002C7BBEE4A96B27CAE41EE140FEADF --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3508
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0FC9E4D9D212137C71B7949765C7BBAD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0FC9E4D9D212137C71B7949765C7BBAD --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C0D1676B2E5182B4CC51B6777EBC43A3 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F21A2A2FA35D60B7AC5A206BDB79DA49 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F21A2A2FA35D60B7AC5A206BDB79DA49 --renderer-client-id=5 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A635B8C0DCEDE1799CD69D87EB4F507B --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=88658439087ECF44A03BBF3237F6D892 --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
79e1e9878665f6dcd6ebdde73c4736ad

SHA1
a0b44e5cdfd9f08e1b6852fec81e20af2ff423aa

SHA256
f25f8dd9cb902f19db21ff3ac8149fc5ffde3b3fe51efad98286204eb75fea4a

SHA512
802617c11da37f438d82462d0f5f87322e6da0e94cdd093f0a4cb8a147fda0c0fc423d5d7815e7b21bb1aeabf9c2be481c078746737d1c70f41bc429d13d9d70

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f632c1dc779de5331f8670ef53407529

SHA1
704c087b9954dbc5143c04b3ada1c3abbf9ed534

SHA256
849189a49b7640232e364ecf8fb2d3a35fcb8814054d5bc304305b3f51ae30c4

SHA512
223c86b1577c3aa941883b040bbe9347b16b5037b6b91bd99a79c86d82b939322d8347aa2dc6f96afbd1e6a886304f9b9feabf8e7ba9e96382b8340df766a752

Download Submit