dabce5d5918eedf76e0f596e66d0b8bf4c6404b8d147c1da1f326f2010a53484

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50afec1a468e6b9b2258d886fe1d9d5.pdf
Size

88KB
MD5

d50afec1a468e6b9b2258d886fe1d9d5
SHA1

161174d6f00071181f0acab7298cd0b535dab410
SHA256

dabce5d5918eedf76e0f596e66d0b8bf4c6404b8d147c1da1f326f2010a53484
SHA512

491120bd0667db4d50b885ad30c45d677399d1f5b58f1300bab353773ecd6e8dc09639a256527e3b2e36fa3d30b3bd43ab4b8e0404d29cd7b1a9f1071f7ac15e
SSDEEP

1536:FkRM4EYGLBO603NlfoCWJYswCz54gDoOa4ZIzdWmFzlv+V6U3uCeCPWOpOwrKW+j:KRM4ZGNO6QNBoCcYswCz54gDjpuzdNJp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4564	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4552	4564	AcroRd32.exe	93
PID 4564 wrote to memory of 4552	4564	AcroRd32.exe	93
PID 4564 wrote to memory of 4552	4564	AcroRd32.exe	93
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 4904	4552	RdrCEF.exe	96
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97
PID 4552 wrote to memory of 1668	4552	RdrCEF.exe	97

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d50afec1a468e6b9b2258d886fe1d9d5.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9983AC885F4CC2F32CE1836680447F49 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9983AC885F4CC2F32CE1836680447F49 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7BB064E7C37ADF8179B80D5B1B5A0EA6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4B7BB5499A2BF494266E74E398734F7D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4B7BB5499A2BF494266E74E398734F7D --renderer-client-id=4 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2616
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3D19FB7A9CF3F7EEF66A0DB8E1E697A --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4664
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3107A4EB12D98040FCB137813CAE175 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4300
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A29556886E8A10FF12FF520C7B3809D1 --mojo-platform-channel-handle=2780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5a0566a9c5f47b4a6f816cb8209a603d

SHA1
e5efcbaf167e259e1e48c7543ed34bad38c2c859

SHA256
0d0649a95a9a05f48a3a39bf8e960debcf0c17533562173de5c86a20f32b08df

SHA512
a05242c500527ef7b2eeb09244b77295df8025a72d412443f2b29d0db9ed721fb49f991bf30e50982290d234e22241da5189baeb82e1d08f4589c09346fef782

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c3afc742d9e184ed1d29714f6d3014b4

SHA1
06a1463f0db13319dbc63693aa3fec2e6d8c358e

SHA256
5511e992a3df987a0ce5955609355a983e0235923d3118878c0644e0b67de9c7

SHA512
6299da763783723e88f4778e20b5cc011c9bedf132bf6c3231f0db811dae225acb810228826e10f7faf3df50212d43b1b15c0399cdabdc91cb9a4e75e73e7878

Download Submit
memory/4564-30-0x000000000A7D0000-0x000000000A7F1000-memory.dmp

Filesize
132KB

Download