9abd57b041b475d3e37ae8934699e743477afad1622d86fa425449c169772a56

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5106bed5b0a3c137244a1fa16245dc6.pdf
Size

79KB
MD5

d5106bed5b0a3c137244a1fa16245dc6
SHA1

ce51295c24a3818b382e04e7d36cc567377ff152
SHA256

9abd57b041b475d3e37ae8934699e743477afad1622d86fa425449c169772a56
SHA512

1b0d1da15b6c22b30b4a0f28e6b18510671e534f2caba74b0fd928e6824add756de045ac654b398d905796a4f1df2f33874a081750dd091cc2ea45e673e1b9da
SSDEEP

1536:Z6FF72lL2guG7P111Av5dEtkZUiPV4Q2EF8on8mMDD99b:YDuagX7P1HwduidHHFpn8TXz

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2008	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	AcroRd32.exe
2008	AcroRd32.exe
2008	AcroRd32.exe
2008	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 408	2008	AcroRd32.exe	95
PID 2008 wrote to memory of 408	2008	AcroRd32.exe	95
PID 2008 wrote to memory of 408	2008	AcroRd32.exe	95
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1084	408	RdrCEF.exe	97
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98
PID 408 wrote to memory of 1600	408	RdrCEF.exe	98

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d5106bed5b0a3c137244a1fa16245dc6.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8EBAA5D04F1DDD6339FEA35F932C2EE --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B2E185E10507A5DBA1327B2DC7F57FF8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B2E185E10507A5DBA1327B2DC7F57FF8 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1600
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6683EDF68928CCB7FAFB3AD596A729FA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6683EDF68928CCB7FAFB3AD596A729FA --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5F1FA9D4EC18C4A3CEBAC10AB0CC91CE --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3292
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CEBB2BC72F4AD15C6DCCC6CC276AA040 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A44015D4E3BF315E671C793B1F185DAC --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:60

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
adb01e05345f50f800bc9698739ce480

SHA1
beafae647dbaf649784df98758fd4bab520dc4a2

SHA256
ee1226d453a3beb598d7720a4d3e3e55d47bec408a1315a224c24fc3aea53454

SHA512
a9f12d1f2240bf32c7a49174b9afd2c27878f34bc9a44571d352d52a7e2bcc5f07a5a662d5e19818cbae61921be0a2965a61cd70c99dd3a58476769b3af43a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
75ee7dc1a720805f71b9ad783af195b5

SHA1
5a764d491ab43af5d65d154d2dce2c0daa4ea4f8

SHA256
e8f2b7efaa59d381ba618689c60c8e8fa8dff5741449dbb83d9c780d489812bd

SHA512
d5833db62f1f636df592173a04b5f9ce2d441c9f4025426ba7b771d27fe06768bd8cfb5c5fa6c6697596aa1d11ccd23d2685f5bbbcf20bb3f8f90f7ce8ee3a85

Download Submit
memory/2008-29-0x000000000A880000-0x000000000AB2B000-memory.dmp

Filesize
2.7MB

Download
memory/2008-31-0x000000000BDC0000-0x000000000BDE1000-memory.dmp

Filesize
132KB

Download