771acc18d5c4db16250be033f610c77d55360c7bd5e8a51e5ee17615c8863b30

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1053aec13849e9f99817f2959afe83.pdf
Size

100KB
MD5

df1053aec13849e9f99817f2959afe83
SHA1

9a8bc2a8d0af451eaa1f586d9dec92358b58c9e8
SHA256

771acc18d5c4db16250be033f610c77d55360c7bd5e8a51e5ee17615c8863b30
SHA512

20671d5fa24ea36b934f20738752a70d6b8a46755a86b664e3858e70ac37c2ca743a63d5b2cb26a91fba001853a42bc422fe15952403101d4e2a964d5495b8e6
SSDEEP

3072:9gQ267I124BMG7enqzD98tm6UQuolE7zU7K:H97IY4OGCqN8tm6rno

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1148	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1148	AcroRd32.exe
1148	AcroRd32.exe
1148	AcroRd32.exe
1148	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1252	1148	AcroRd32.exe	91
PID 1148 wrote to memory of 1252	1148	AcroRd32.exe	91
PID 1148 wrote to memory of 1252	1148	AcroRd32.exe	91
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3200	1252	RdrCEF.exe	92
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93
PID 1252 wrote to memory of 3092	1252	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\df1053aec13849e9f99817f2959afe83.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3FAFD1B62B507085938DE2272F9192B --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3200
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6AC0DDDD353355116E8B3771BA3D1BC3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6AC0DDDD353355116E8B3771BA3D1BC3 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE7C7FC41B624A363D52370755E3B9EA --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:60
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=87053C4EA3EE7C27C73D98FF2A0A0D96 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=87053C4EA3EE7C27C73D98FF2A0A0D96 --renderer-client-id=5 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1796
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B951C8A3FB90694DC73884E66EEA3A75 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2920
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F7115A1B0F73E0A3296559CC639BE3F7 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
299d89f71239f8f137713af431d91ef3

SHA1
1ee628dd090eafce1f46c77ad94e4cff70c31c05

SHA256
6688fee66a35998449443fd330099fd6ccb73c373c808563a3c38cc70642ade6

SHA512
776298ad7ed0f15d7673b556f08d3ec7a9f64fe9b65938f8cc879a665c8b7cef1887994549d22d476bd623dc941d40bd07e86fb9f41bfc2ea657b29cf42408ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4ed121a8d600b8f04c1d1d0742d98b63

SHA1
fd0c5890de01659919356ae1a70bd82a63afcf22

SHA256
025b93352121889e0eb988cd9439c67465f58f25d4c4c6993a5aa8015590c037

SHA512
b9410af0af8eb0e8a91cecb3af9e32a4ad3e488a680e708e74f4e5ee67a2ab70952883c02ac5b576032a89a85461227a6730dd7dae950156ddd3ba520215e651

Download Submit
memory/1148-31-0x0000000009EF0000-0x0000000009F11000-memory.dmp

Filesize
132KB

Download