932fe232a2136eb9000b7ff67319bb9d413e39fa04b159500acba475698d46c5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd5a9b506e2165cf0eff780af81f780_NeikiAnalytics.pdf
Size

102KB
MD5

2fd5a9b506e2165cf0eff780af81f780
SHA1

713b78f8090b7a3c85510c430f2148d66a497400
SHA256

932fe232a2136eb9000b7ff67319bb9d413e39fa04b159500acba475698d46c5
SHA512

39498e62fd8954cb04a4bcfa8ef7e4cab1c14fc4bae46f14cc2992051f779d8cb120c5cf9e6d94368b7d2af0bdcc8cd006666e424d6c99d2876bc208a186e3cb
SSDEEP

1536:unUB1hmzKZhmMiWVvooBgdHlyrNEbMP0D7zHXxeVu7Ni2q+LzXmNqpKXoLSj6nS:gkHeKZcbaLydHlyrNYMcXxau7PXse3S

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3036	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4980	3036	AcroRd32.exe	87
PID 3036 wrote to memory of 4980	3036	AcroRd32.exe	87
PID 3036 wrote to memory of 4980	3036	AcroRd32.exe	87
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 3356	4980	RdrCEF.exe	88
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89
PID 4980 wrote to memory of 2308	4980	RdrCEF.exe	89

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2fd5a9b506e2165cf0eff780af81f780_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B39B4A00A5A3E1527C05CD4B54E791BB --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DF9BEA5C047784C04E46F463E3D87758 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DF9BEA5C047784C04E46F463E3D87758 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2291F8ACB0D9F9F518B611DDF33CA419 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4796
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF3B3B96B160743AE6F0EB84783F988A --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4944
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BFAF7E1F8FAADDF074E4DF6BBDD99868 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4004
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9041447CFBA3CEE24D8C644A778AC419 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9041447CFBA3CEE24D8C644A778AC419 --renderer-client-id=7 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d10b535686fd3d9ab8a13ecce3896b00

SHA1
b7468a96f267f5f91009db453a37487f0ebc6104

SHA256
5a2af1041d67bc5154f20ca4409736ace6ceee42d0820bd8226624441f89785e

SHA512
fe1d474229a5dcd0a36589baa3b50d08c43a86b28a9fc5a6213a035c53a8402291fb5f669ed31dc8c8d837a00d856fa7f7ae725a86f85fbf7d17c93a4304c70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0584f064e3a392ddf8aaa6f24103c34e

SHA1
b02145196ff0a2c031f305fd656c42a93a9f93c0

SHA256
b5bf37bd2d79ac23bdb949d7c6e15824e08d9c21d99b7e6442a66ad7dc850c96

SHA512
1d00fef44bdb17eda3e02cc1ddc40dc227844060ffce7d5c17b5ceb7410e5601ec663705bad059cda73c729cf38e16964cf05613a609bfd9fa75354260e8855a

Download Submit