d89d173ec42a4ab6c92a3dfa685ad556fc9c46e7d98e1f08666ce910eeccec2f

Resubmissions

29/03/2024, 05:45

240329-gfrj3sbg22 4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PERUSAL.pdf
Size

279KB
MD5

c9a14a2cc502d6103bfd36f7426f1791
SHA1

3a0fc652d1696c70fa0d36a1a1e715672195a29f
SHA256

d89d173ec42a4ab6c92a3dfa685ad556fc9c46e7d98e1f08666ce910eeccec2f
SHA512

09450fb4accfe42d0068b4e9d273bc98bfafcd21046627945a29b60143f0a39ec2040091ded5da2d5ef9540189810e51c3406685da973b7f5f2872b9eb844d12
SSDEEP

6144:TnSjNDZxjfyjNd9whuj05ICtIDUV+QZUd52mXQDRd6w:Taj2jZwhujrCiIhUfQNd6w

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4724	AcroRd32.exe
4724	AcroRd32.exe
4724	AcroRd32.exe
4724	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1752	4724	AcroRd32.exe	93
PID 4724 wrote to memory of 1752	4724	AcroRd32.exe	93
PID 4724 wrote to memory of 1752	4724	AcroRd32.exe	93
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 1372	1752	RdrCEF.exe	94
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95
PID 1752 wrote to memory of 3056	1752	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PERUSAL.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5B00A66E903DEA264C93FA41ACAEEAFB --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1372
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0AC2AAFBBD9318829CBA1DA83A53A5BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0AC2AAFBBD9318829CBA1DA83A53A5BB --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3056
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=17ACBEAD411B4653D8F96D8AF10E4409 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8937B59E0A71A7BE7D41D903A2215854 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8937B59E0A71A7BE7D41D903A2215854 --renderer-client-id=5 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=23A959D90748AD3FFFD495311BC0BCC6 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F1CE6CCB13CDF8BE7D82CB5B5171D94 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7b4908abc70f41650270e258c8b46d71

SHA1
9638a6efec41ed554505d668ef6d373da1ffe360

SHA256
dc18ba694b10354c2819d22a9af8b59da9d9881ab8668f92c10bcc43df2ba072

SHA512
9acec0863b852b20fdef79c78e76052a498151dc7e4c2c6fef1ea008fb7a3ad61508a052fb5c55da4892587e69aab4f2597e28780e1b37ced3439627f0d8b806

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2664ee8c19cf3c0bbf0a7aaf91403b8b

SHA1
5e72592f566e4f307c2d403d9cb388e5698582cc

SHA256
6158a0e8e8efb86660fa47cccaa612b6f6ed1f833d1b14657ef60a6a1733ced3

SHA512
99c1b32dae87278f3e3604e4e6505e85384c017de60024713388fb58dc29ca5f7ffcaa910200b407112c1990fdd2987dbf3a3b37e9972b12c624b072ab58a738

Download Submit
memory/4724-30-0x0000000009E40000-0x0000000009E61000-memory.dmp

Filesize
132KB

Download