474d0b2ec6cac12b77ac527cec6e21a3537337f413858fce54550f7efcfccafc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c83e75d93d55500bd40a6604dd91020_NeikiAnalytics.pdf
Size

190KB
MD5

8c83e75d93d55500bd40a6604dd91020
SHA1

f228b2863f9b35bede731e0df84a37076c488293
SHA256

474d0b2ec6cac12b77ac527cec6e21a3537337f413858fce54550f7efcfccafc
SHA512

8a0c094b429a88d18be0ca409d5a0163cf1325983bd0a6f704d02c4add625d7c84792962af99e724ca5c5bbc4b2df4ad78ce66db1263489e1d9f36da0a07a741
SSDEEP

3072:xfcKfMXbOx/Rf8rIaF1Imz+M2dMFbEVzfZEaHox7Qzjmr2pUB+pnWQTQ3UFC4OYK:xVfMrOx/RfCIWBzV/Uz+h8mrrKJTxFCF

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
728	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
728	AcroRd32.exe
728	AcroRd32.exe
728	AcroRd32.exe
728	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 2612	728	AcroRd32.exe	87
PID 728 wrote to memory of 2612	728	AcroRd32.exe	87
PID 728 wrote to memory of 2612	728	AcroRd32.exe	87
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 1356	2612	RdrCEF.exe	88
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89
PID 2612 wrote to memory of 5092	2612	RdrCEF.exe	89

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8c83e75d93d55500bd40a6604dd91020_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=55AC56BBA2E6AF0921E758287795FC24 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A9EE3E1FA697203EB3EF89B0D1116D38 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A9EE3E1FA697203EB3EF89B0D1116D38 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB533437933F1596AE8D7E1D5956FA21 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EA3C0EFC823792C4EBE3A572DB6CA5F6 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3720
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FE4A9A0CB289438ED662D2C581331203 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FE4A9A0CB289438ED662D2C581331203 --renderer-client-id=6 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ADCC5941982BDCA6C990A1FDFC2E7522 --mojo-platform-channel-handle=2736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8d8b1fec5c306d29a3e4b1800800db19

SHA1
d0736d9cd8a0aaa1746da4c67f275e40150ea46b

SHA256
b2d6795d4f17364a6997d5fccf6716458bacc6b52535f7395e708be65b68bf18

SHA512
60b891cab401d4247ebabdd0822b41e9922e6cdaf2f1631e80678d15c6c19cef6ec3e6ba94e8407a857571be4929733d3cd7009307792e593c5c37e267de8926

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8c5fb8920a7fb5e3918f01d76adc26f6

SHA1
f8e581112a484e361eeb7abe0b6dbe45afda141b

SHA256
c2b365970bb70f179516d5c94ec46431f2b0fe0df2118ba53809e4651d8a2b58

SHA512
34b9f4d440f8efb5362d2494f913245ccd54c774f9b2883070d0917fe28ab9da290728dc6d61c3c8f26088a45fa775b9a5d7d1c1f0c0e98588ed020971bf2afe

Download Submit