70858824440e6f437ee4d671b7914dd29dae623844a874c2e6f79e10390b8fd4

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551c4de6df37ea1269cf9eda6ca52cb0_NEIKI.pdf
Size

34KB
MD5

551c4de6df37ea1269cf9eda6ca52cb0
SHA1

f36ac1e87f6dd8924bb32d7987b319d751ac5c8d
SHA256

70858824440e6f437ee4d671b7914dd29dae623844a874c2e6f79e10390b8fd4
SHA512

8f334151439a2cb5e6d3039cf7f949691a9c5941f27155dcdc3d05e4387176b631374e2e816bda67f05067a8867d7a935a310d822cfffb530e743f5f503c38b6
SSDEEP

768:6gGzpDY09lp/T8NElrhRPh0KQMpuQ2cL9F4ZGxEPRp:nGFc090NElr3hRpuazSY2p

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3468	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe
3468	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1860	3468	AcroRd32.exe	83
PID 3468 wrote to memory of 1860	3468	AcroRd32.exe	83
PID 3468 wrote to memory of 1860	3468	AcroRd32.exe	83
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 2588	1860	RdrCEF.exe	84
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85
PID 1860 wrote to memory of 3972	1860	RdrCEF.exe	85

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\551c4de6df37ea1269cf9eda6ca52cb0_NEIKI.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9CF1A6D4A45DA56F01C38F5B30E4B6A6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4B7094EA0B0845A388432C94DDFFA35E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4B7094EA0B0845A388432C94DDFFA35E --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=67E7D19702EEB774AB929D3CF233F104 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEC0265E179B42BB5EE3ABA7F1A92F08 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1628
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CA25850EF5A5A0BBCB717154B377FB7 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1572
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C945A29C09A5D1B97BC4489E566FC47B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C945A29C09A5D1B97BC4489E566FC47B --renderer-client-id=7 --mojo-platform-channel-handle=2392 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
324ae93e5e65331ec20d054fdb43a425

SHA1
7f0b3131d96d2a53d4972caf17cf94ab33a908fb

SHA256
979249c8de0866f0d216647fed0d93480091ef0aa8a0359939595c8f6728079a

SHA512
4283f4d37fff7f02b81d546d2a764eb056e220381590fadba246d9b2ab2290fabaf73ebd0a8fcf19d05f83881fd6c722ac2952ffa5dbb19f86ce5c91ca935ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
89503356d6f73ce213165bd131d56342

SHA1
a43e9750238d461d26b175861baafa9f253cb13c

SHA256
a660545e46da0461e5c194b05eb2bf24750c7cf35a6234e506f7162ac2830da7

SHA512
baadbabe2074c975dce92e885851b3ff4a27dd93526c8073b26b0f5a89334168fdf1e6a70cfad0ce09e632297b3637295bb090f37ec4c4ff4725a4981f7cc8c3

Download Submit