192e29bf3f9eb06b11aa867f2a36fe03c038f38324f283d648a760b57ca1947b

Analysis

max time kernel
141s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5da6cb14b228445645b0c165d0379800_NEIKI.pdf
Size

150KB
MD5

5da6cb14b228445645b0c165d0379800
SHA1

49ab540fff33f7cd735c61e9ebb944997a01faaa
SHA256

192e29bf3f9eb06b11aa867f2a36fe03c038f38324f283d648a760b57ca1947b
SHA512

f2b4af74a4a37c09f772d0f9aa79c0baa119fe9085413905d7d6cdc6ffa7f6b5a64ba425852db4bb28ecdf3bae19caa0fb6abc95813e415aa97bac256766c41d
SSDEEP

3072:Je5M60xOdlA1cYDziGVb3M3TNwr5DCemoxH9xCx:J26OdlAiYDziGR3M35IJdTxa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2716	AcroRd32.exe
2716	AcroRd32.exe
2716	AcroRd32.exe
2716	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 604	2716	AcroRd32.exe	83
PID 2716 wrote to memory of 604	2716	AcroRd32.exe	83
PID 2716 wrote to memory of 604	2716	AcroRd32.exe	83
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 1728	604	RdrCEF.exe	84
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85
PID 604 wrote to memory of 2572	604	RdrCEF.exe	85

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\5da6cb14b228445645b0c165d0379800_NEIKI.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=918772F2E7F60CE3B6EA96EE9942A9A3 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1728
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=815EE5D1F7B7970998036F3DEF2154FD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=815EE5D1F7B7970998036F3DEF2154FD --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=142E2DDD8A4AC538317F6EB17A533E4F --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5AD09B3E15D85FA8F4CE5BE694E2698E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5AD09B3E15D85FA8F4CE5BE694E2698E --renderer-client-id=5 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=74B595DAAE29CD66B2E0AF9692FDF2F4 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4564
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BC13A3A644A7A67B22CD3AB48E61B03 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
87db5d5ffe2d086f8bcf6f5d1af0931b

SHA1
909cc751139b46a59f10d86b7778ad0d579e2fbc

SHA256
244d73f4451e037c3b4be19c8230de835c775c95c985c4e0e84351ef204fd4d9

SHA512
7e44f22af63253c84b2233724bf0cf53dff7ba2db344ef119a766ba4ec9f2c82f58f5016f2abe0b16db5c0844a29acb778d32513ec668ff1a777dee2dd2741f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1bfcd88df08b30819d2ffe3594f86ce6

SHA1
dd750648fccadc8a49783bca9daf146e6cde3927

SHA256
df5890db1dc246b323ea964e0f4d4bb2d60e60f9fe3ba54d639aecd6687a0d64

SHA512
7ce6e93781e3d2845ddfb8dc2f816e96ff6b7968099e0734f5ab2a4ed5089592e4b83c9cb093e538312dedb9fc4624d8b6fe1f3917c481fc79c7ef9a8be17bba

Download Submit