c39d5394706aa0981f3c94a6f0f8cba431e3a4a3226e21ffe1ecee02cbc399b7

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5da70939fcf0c0c103e3c5dd4032738.pdf
Size

33KB
MD5

d5da70939fcf0c0c103e3c5dd4032738
SHA1

6b7eb3099ecf1df54dfa99c99c3f89eef3d6d667
SHA256

c39d5394706aa0981f3c94a6f0f8cba431e3a4a3226e21ffe1ecee02cbc399b7
SHA512

4f01b86b71a5c41855bb1f8aa3c98dca2a6560bb833f8bfc19b6ca4d74fd52fc942902ae2d9a027aaa92ec454eea020c4bdda678844992fda8352036df2ae731
SSDEEP

768:09dqdE0OKHrWIJ80Wj88rpWOh5Zd6qLgL7bqjdxo8sWq+wS+j:2dqdE0zrWLjVdWm5C8gL7bqJxorWq+r+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4392	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4392	AcroRd32.exe
4392	AcroRd32.exe
4392	AcroRd32.exe
4392	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4336	4392	AcroRd32.exe	92
PID 4392 wrote to memory of 4336	4392	AcroRd32.exe	92
PID 4392 wrote to memory of 4336	4392	AcroRd32.exe	92
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 5108	4336	RdrCEF.exe	95
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96
PID 4336 wrote to memory of 3444	4336	RdrCEF.exe	96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d5da70939fcf0c0c103e3c5dd4032738.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46C433F9225E1DD9A9BFF8ED158CD8ED --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5108
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3BF2D72819E04984B10431DC31D1F8EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3BF2D72819E04984B10431DC31D1F8EE --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81668880DE0896803101E2FF0E617D8F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81668880DE0896803101E2FF0E617D8F --renderer-client-id=4 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2536
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B43A0DDD51F5AF85C6FE3A9107A0DBC0 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3836
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=589EF3810D0C9338C759DDBDE26FE1D2 --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1716
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EF5DA5399B5A599EB1A8BBCB66AC3FC --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
14fb419435294aa70fe7f0aa4b1c34ae

SHA1
a80825f3711122c0b3b9ee7500b754e4ce72cb94

SHA256
722bd32e1f47fa6a75715bf7fb06a4a7f530b97b236acea114b70fc04dcaf14a

SHA512
5b37f7e01aeb5b59c003d03e079283414cf5da66faeaeb2cdca2156236337deec7abec594f8c55a6929bddb9c0252a0b63fb42958334d9435a6014d54d855ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
17b1990b3d19d5b3d919f2c21f95bd87

SHA1
7ae8a1c039c3193f0b0470b42bd838666e54b0af

SHA256
b9c7b2c92672dbd265d8b8b00f10266dc1565dc9a66f18a7bb0a5e2542962dbd

SHA512
3f1d6dae93e8678459b6d692f5f52fb498b01cb836c267cdbd5dbb09e35e15b3f86119b1a12f8fbf4f96200bbe3f882016cdd4bac3cabb0c97e45dac5548b102

Download Submit
memory/4392-31-0x00000000094E0000-0x0000000009501000-memory.dmp

Filesize
132KB

Download