0342bbfae8c28ffee7dcc8e12f4fc04ab53a9ba9cec93a7d0b9ae4c0c4ac994f

Analysis

max time kernel
91s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e23fb4d1fb474affe0e6043382ce7d0_NEIKI.pdf
Size

44KB
MD5

9e23fb4d1fb474affe0e6043382ce7d0
SHA1

7d9476a7b41b471dfee39859aa328b570130e9db
SHA256

0342bbfae8c28ffee7dcc8e12f4fc04ab53a9ba9cec93a7d0b9ae4c0c4ac994f
SHA512

963aeaa4ee1afef898cfbb03bcd690458b15a11f0183fbda7135416d1baafcdd3a8a0b39a3fbad7ea40bcbbe9892ce254a7f345205803a2fe5420a078a43f2a8
SSDEEP

768:Vznz1sIbDzmQopfbs9uft9y6rl3wJCdfUCX/VygKXevVpeQKntIIdeO4XSjjFYLh:TsEuFaJlqyhCVen/F2SFYLpgC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2792	AcroRd32.exe
2792	AcroRd32.exe
2792	AcroRd32.exe
2792	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1948	2792	AcroRd32.exe	87
PID 2792 wrote to memory of 1948	2792	AcroRd32.exe	87
PID 2792 wrote to memory of 1948	2792	AcroRd32.exe	87
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 3800	1948	RdrCEF.exe	88
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89
PID 1948 wrote to memory of 2456	1948	RdrCEF.exe	89

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\9e23fb4d1fb474affe0e6043382ce7d0_NEIKI.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F890DF0EB2EDFC8B01764AC91BD092B6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6C58D7615B99DCD1B8BAAFF80A8841F0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6C58D7615B99DCD1B8BAAFF80A8841F0 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=99F1F83EBA4B6A3A811D2D5D975A8D8A --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=90EF2DE3BF366612DCE9D08EB9421DB2 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3616
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3CC46F5E3CD8C1F757F69A1A83C74D78 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3CC46F5E3CD8C1F757F69A1A83C74D78 --renderer-client-id=6 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2236
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A19129C53CCDEF0434DC99B5E8495C18 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c3de1ead841987045993c8993b25b794

SHA1
cb03c4b643d58ea34a5720ea83180a5e2fc3e34d

SHA256
44ff4c41a0905bdc157f47a04fe747961b73244f88cefb924891dc650dd8e9df

SHA512
bb17e0ea664bba8261a0474a229d5ec43f758096b88b399c2f65a2ff21e791af372b4f663bc55a42c0381d40be1e9fed3808afc1250fd90641a0a014c6fd2bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5872aba5cbf52064abfa6234b9c3e9d3

SHA1
e38180c26f223b539c7950788d7088fc020e8111

SHA256
f2f6a8b1f0d5ac5585feb8b77e9a686e38dd9d8f9b4aec92f931a683c892e20b

SHA512
4241d99cb90fc2aa322340c87433e7b86b9d669fca9438552cb31c8b9f0ed38db818eed7285432538e700f9e6367c4af66c5cebaffcc76b7aeb695d4f5cf1a3f

Download Submit