52d22f86bc7e89055cca2cdbc6fd42c2fc3df268f96a41c12e758cec8c41ee83

Analysis

max time kernel
142s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Publishers Clearing House Inc.pdf
Size

107KB
MD5

a0056075ea479d291ca89f7c6ccc233e
SHA1

f312ebb69bcf7b59e2244b42778f3d6a57b240e8
SHA256

52d22f86bc7e89055cca2cdbc6fd42c2fc3df268f96a41c12e758cec8c41ee83
SHA512

4a3a58d4da07af0464a0645b937ade95f589a07f47f807308b42593406de94a6bad0cee42590ab5abc0dc62317928c0047aaf83cb243ede10281c555328257e1
SSDEEP

1536:UiPlnMx3QxWOWdrzEQIv9OKpiaZKEoGyMdCTHOnAukT3jyA7U0oD+iMtcQ5Emg2Q:UitaQ4hofv9OKpiaZKE/c8uNADrBUxxQ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
488	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
488	AcroRd32.exe
488	AcroRd32.exe
488	AcroRd32.exe
488	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 4268	488	AcroRd32.exe	84
PID 488 wrote to memory of 4268	488	AcroRd32.exe	84
PID 488 wrote to memory of 4268	488	AcroRd32.exe	84
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 1240	4268	RdrCEF.exe	85
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86
PID 4268 wrote to memory of 2524	4268	RdrCEF.exe	86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Publishers Clearing House Inc.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:488
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15BDBAA0D50E4AE89344FB14E6A7DCF2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1240
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=084A27D44A26A7E8F9AC73E5B27C1CB0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=084A27D44A26A7E8F9AC73E5B27C1CB0 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=10CB724E687D87896C0E1A0B54F8094E --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5096
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=28EF1368F17D0A35F543C9E705977E23 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=887ABC82EEE8916F2594ABBB53898A67 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=887ABC82EEE8916F2594ABBB53898A67 --renderer-client-id=6 --mojo-platform-channel-handle=2452 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=96BFD0260FB4793774421A16DA5CB3DF --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0091911598b5983d38e0dc567b5d200d

SHA1
ad0c735b18bf5a722f31397823e8f5eef75f3bcb

SHA256
7711eebf038fc7e95747befc18579516951138dbc66ff6e7a1c58ccc086a3046

SHA512
2c4973c16e3cbcdd1f7435666037bc70fad05df55fb70fd69bacaf9739ffd207ea8c9a5368fc0193af8690a5240b917438c46e9c47b7e4e618ec4c1116cdd40b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4457830c6beb1b82b84880c36147ad70

SHA1
f0d2510c9a7d04b446d156bf2314a11418d54a99

SHA256
b790dcbedc8d2e56781f57326145d18b5b04d193d16a357a9433ef4957b45376

SHA512
9db626275cdc5ceb765960aafbf93ba42b2a37ecb3dc88a2383e7caef85403dfcd1750f4eba7459e57399d899fd7581bb5e5bfebdb5babab0f062e715dee5557

Download Submit
memory/488-30-0x000000000A9C0000-0x000000000A9E1000-memory.dmp

Filesize
132KB

Download