c013188a7ae6282a0930ec9926c3cff5017e2e6a3c70acabbf85740d7feefb79

Analysis

max time kernel
142s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rabarberbarara.pdf
Size

26KB
MD5

39639c8d7bde21aa3c0c06d16d06e50d
SHA1

7c48a52ef4ab2a14161979ae3daa440a07d2bf6a
SHA256

c013188a7ae6282a0930ec9926c3cff5017e2e6a3c70acabbf85740d7feefb79
SHA512

cae6b0ca8416ccdf71bdbbc4d36be56fcf305c3b8f53e4553933b6a4ae8d330d15c99c021a0492ffd310a2d864b30776309be61f3b92b4ce263bd5b9ce96e05a
SSDEEP

384:a/eygXGe1jwlF8LDu885rQGRQr+ifjWvgqgO4RZLQ3Xujqm5/yHznvaxPCnul:sUXZxLDU5cNr/WvgLTKC/yLvsPCg

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5116	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4132	5116	AcroRd32.exe	80
PID 5116 wrote to memory of 4132	5116	AcroRd32.exe	80
PID 5116 wrote to memory of 4132	5116	AcroRd32.exe	80
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 3112	4132	RdrCEF.exe	81
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82
PID 4132 wrote to memory of 2172	4132	RdrCEF.exe	82

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rabarberbarara.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5FE7CDAB8E8E917C0450A82C93FD1F2E --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2FEF951130D21649ADA4C7557DDFF18C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2FEF951130D21649ADA4C7557DDFF18C --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A2C4ABE9713CA0ACEC0E2DE84FE2E7C9 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1564
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3462E4442F2A95505DC989CE02B48ADF --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5324
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=368F9DE6C50DB8450DD47B83CE29312B --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4BDF1775B98859B43751C1DADD392599 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4BDF1775B98859B43751C1DADD392599 --renderer-client-id=7 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
34596acdd9fc9181d2d414d9e34a6d1d

SHA1
d7eb0ed172a30768e41d27a33d57eb476a61f71e

SHA256
40e05ae0abd6cd7a34ceb309d14ee5432bacab97c5ff3db2283f930422bb700e

SHA512
6ef89a732c055f6c9be25ea5be7fae497b33fdf93d12c37afd14dfaf2bf531423045fda1dc8b04905f629b9fac1d21446abb701b796f2390cb264eea742dadfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ab8421d1801ba93c3a5304a08e7e79c9

SHA1
1ccbbf86557752ccf961e01acaad49a023358c3d

SHA256
a9ee6552b393eca9a6b6bdf3361f96488cb28d0d2f24c9c2a73ed25e46daa810

SHA512
2097fd0019bf8d869008d598c9cd7045620e0575d460a3c66776f7528c78619c90dade9c94e17898b2e1e3673da981d65821ec6c818bc38734c92068e595d8f2

Download Submit