4c5e76aecb5b273f0b122b30acb186d5c2d971281355748aca71a7ee885f8d4c

Analysis

max time kernel
93s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3066b18ab006d9c15d2d92b1fece0f90_NEIKI.pdf
Size

232KB
MD5

3066b18ab006d9c15d2d92b1fece0f90
SHA1

e9e9c09bb1d3d7e08beafca62e6d83b0356762ec
SHA256

4c5e76aecb5b273f0b122b30acb186d5c2d971281355748aca71a7ee885f8d4c
SHA512

4ad47a576582f19c91de6272a5d6831da72db7e52be71b34fbeab676d5bba1c7385889ad2098ea337719e1ea90ff58744d7c469461ce53b51609f85933dcecc1
SSDEEP

6144:ohp3vAphxHmnHF/GaN9qAsHBZ43Ugx7k26hZxsySqNLZz:oDophxGnhZTqAGBZn526dsANdz

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4932	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4932	AcroRd32.exe
4932	AcroRd32.exe
4932	AcroRd32.exe
4932	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4904	4932	AcroRd32.exe	88
PID 4932 wrote to memory of 4904	4932	AcroRd32.exe	88
PID 4932 wrote to memory of 4904	4932	AcroRd32.exe	88
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 4808	4904	RdrCEF.exe	89
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90
PID 4904 wrote to memory of 1088	4904	RdrCEF.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3066b18ab006d9c15d2d92b1fece0f90_NEIKI.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9AE754C66131F21C33ACDB12352E9D4B --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DF851918A95EBEEF357E2C19EE91A7F1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DF851918A95EBEEF357E2C19EE91A7F1 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1088
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8430A29FBF232E623E01A0A77F8A148C --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1406BB54D447A0725C7A45203007376C --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1360
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=273B99667FE1154EB6BD02B4691705C2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=273B99667FE1154EB6BD02B4691705C2 --renderer-client-id=6 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4072
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=197878B6CAEA804D324F523DF90C3653 --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b057bbe86311441eeaa3c1784923bb6b

SHA1
cb471016c3847f5b6b51ab473789febc0e69f39c

SHA256
f9fc4f48c3a8f68b27a6e4b4ebb9f77679b4292a9f94c79dc0c548e640dfb26e

SHA512
86d4334a307813d1138def5a0ab3875b273a95aab4d0a01ad79e87e54e4b36470161492e96631e36ea6121ee074233de3861f9fb7df9adab8ca972edab52694a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e3f4e27debeb4b6df7c79a7c4bbc297a

SHA1
0b98f263bfe91be469ff31c49edde7631c7a43ba

SHA256
c51a31c416eaddae6231453a89f5c133df942d81e5887f03f08f542a16af4fca

SHA512
63b1b57edb8fc9738c05e7835c4e13d179fe1acbe1115006b1f8f316a5cfc666bdd7a70325d37c202f9eaff0745e489dd248e49fa8b181e9e3cb4441b953c467

Download Submit