b754e87ce0442fa43d20888e6b21b7a568d36b29f895f72499a75ce0f5a15838

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d490b63852ecb72f0bb2e31f6310be4d.pdf
Size

90KB
MD5

d490b63852ecb72f0bb2e31f6310be4d
SHA1

77dabe0270b573dda76eed1a4993f76139e88c56
SHA256

b754e87ce0442fa43d20888e6b21b7a568d36b29f895f72499a75ce0f5a15838
SHA512

27c201844b1dce25f83193c2dc821116c9fa955a698b72c32fbc4b7028ff6f39e6cc9f4770022e553f05793865b9fbfef5c15c6dd1aa5f911e04cbf914295a2c
SSDEEP

1536:SouG+AEoDm92ZfKG0zNlFYNq3ndqP2Rx9eW9cxmXO5WkNpOPTxoneWqWUU0LMaLB:zW92Zfa2Nq3sKx9RzXhPFoeWWVLMa1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
32	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
32	AcroRd32.exe
32	AcroRd32.exe
32	AcroRd32.exe
32	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4460	32	AcroRd32.exe	91
PID 32 wrote to memory of 4460	32	AcroRd32.exe	91
PID 32 wrote to memory of 4460	32	AcroRd32.exe	91
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 936	4460	RdrCEF.exe	95
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96
PID 4460 wrote to memory of 3680	4460	RdrCEF.exe	96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d490b63852ecb72f0bb2e31f6310be4d.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:32
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20F0DDDD825A655C6EAD21122F091AE0 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0EA88EF4EA5C4C90B3114C24D137B2B8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0EA88EF4EA5C4C90B3114C24D137B2B8 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9F11AF2AFC9F2CD6BB27ACDC6AD3814 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D240326C47C282A90C2197AD47164B8A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D240326C47C282A90C2197AD47164B8A --renderer-client-id=5 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC6ABEE897C71C7BE4CC91BF827D5693 --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7CBC73C1F7A2B162A95AD7E1C0A03DF --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6f8687d40c267bb21e453cdba487b6c7

SHA1
b07b2cad3196fc01e1a2b2900547ff5b9e5813bc

SHA256
4e32d8c8a3aaef93fdfc19cd213b33089a747792e39fd1f9fbde3580633a8da5

SHA512
842a420f0585e50b277343b260c2df313ab526fafc0a09d12c8d4f68cbddcfb1fd5ef6a422e82e9a0ecec9ba1bce3db2b5301dacb04335fabe99d62c6fa8a895

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6fdaf959ddbea9f6aa02d025a3758979

SHA1
27ba09cd746bf11f118549a0180fe0b2c8ce7fb9

SHA256
f53aedb95e2d050fcdc858680fd1cabcab5cc458f4d1693943f084320f7c9f3a

SHA512
c4da46237a6d69975e81ca7af43c807d8c366fd5cb08d5f0cd759a3e2b79ec645ee132692a936e0e23cdc48cfaa5440616f42428de8150326c926f2a6985b4e3

Download Submit