91ed18abfaf30e5df3ffa25c82b334482758057f7000248c68bf7fc1988fba53

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee1d198a70f8c4b6f1f9155705dd340_NEIKI.pdf
Size

510KB
MD5

fee1d198a70f8c4b6f1f9155705dd340
SHA1

a0b6cc2bb11423f5298afd10928aebdea7393f89
SHA256

91ed18abfaf30e5df3ffa25c82b334482758057f7000248c68bf7fc1988fba53
SHA512

abb5cedc5a21bcf9515ca12a9e8511be11b0e430410d012610391bfe592ddc6e1e3b98831f8eb1660cd2d9be36a2c1b45decf1299835bd58612c1160f62760d4
SSDEEP

12288:UMh19qEwxeYrnaZC4hXBROG/ixvyC27vkrzO1:J1ROH+xBQGKNAL1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2108	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2108	AcroRd32.exe
2108	AcroRd32.exe
2108	AcroRd32.exe
2108	AcroRd32.exe
2108	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2820	2108	AcroRd32.exe	86
PID 2108 wrote to memory of 2820	2108	AcroRd32.exe	86
PID 2108 wrote to memory of 2820	2108	AcroRd32.exe	86
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 1056	2820	RdrCEF.exe	87
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88
PID 2820 wrote to memory of 224	2820	RdrCEF.exe	88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fee1d198a70f8c4b6f1f9155705dd340_NEIKI.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CD8DD152E84C99E5231032117A02373F --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1056
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=19C2FA19CB78D28B5E572B232A489C69 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=19C2FA19CB78D28B5E572B232A489C69 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:224
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC1ED06BECE2B2685CFECE6860600BCD --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3276
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=03CED4401EB7F39ACEFB300145231BA4 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1900
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=51DBF3E86028BAEFED91FFF9F31663A4 --mojo-platform-channel-handle=2452 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3924
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=119CA88612227CD90C00266394DB47ED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=119CA88612227CD90C00266394DB47ED --renderer-client-id=7 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6eb7c1b9512a93843f121a2f0250f5c5

SHA1
569829b3be0898a7ab4cc4c86ac876b7999e502c

SHA256
89483ffe219b8b398874d4251f389c394ac7a35a3a2f4bcd8e85217c41018096

SHA512
bfb4f5e3bf7ca48270615f42a7a91d8b858f2ac72201ec10eeb4b70f6a72d0f4efa132c3626be34b36fd57e73ff5580566b668524129a036e119a8205ab6b746

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
908fbd760dd748d7fbd411f5c02ec45d

SHA1
07ef3e90b94ee712e1a8423c01ae12ac3d66fbf6

SHA256
450a84c5558c08205bb6fee71e7003ecf5ed13f1afdcbf35db36e975af5a411b

SHA512
71d1261dd1ac9fab8046141e87d8dc11f1e5c907c95a136400bc4415b287425ec6de51b851177d199381056a4191acba6662ab6ea3c4442c0fd944a3c3b5b578

Download Submit