22e011350d403bb4a6c632dcb7addb7a3c6ff80eeafe841c686d97f0bf800747

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b3866502e43dc82d97ed77fec480a0_NeikiAnalytics.pdf
Size

137KB
MD5

c4b3866502e43dc82d97ed77fec480a0
SHA1

d211793188da01f6439fc647836b326cbd888981
SHA256

22e011350d403bb4a6c632dcb7addb7a3c6ff80eeafe841c686d97f0bf800747
SHA512

f46863af693cd2ae9442478ddf2686d9fec77a5aa891241080d30a30a80053eb856344aa1cfc83087b1181d6f3f104df94116a80a7fddddc3e95e11c340ba30f
SSDEEP

3072:Z8bq4A/Mdmlolhu/p62g/Tc7rtsYe+XQmS/qWd:Z4A/Tpv4c3tDe6XqqWd

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4360	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4360	AcroRd32.exe
4360	AcroRd32.exe
4360	AcroRd32.exe
4360	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3288	4360	AcroRd32.exe	87
PID 4360 wrote to memory of 3288	4360	AcroRd32.exe	87
PID 4360 wrote to memory of 3288	4360	AcroRd32.exe	87
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 4936	3288	RdrCEF.exe	88
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89
PID 3288 wrote to memory of 1212	3288	RdrCEF.exe	89

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c4b3866502e43dc82d97ed77fec480a0_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3CC28EC3F6C006C03CB31EDC1486D2D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A66888241E01F0197597E02B3C9581EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A66888241E01F0197597E02B3C9581EE --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27E28BD7AECB9E96DC6179216A7A462D --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3036
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BAEE5B126CABE915560918368DB7E0B9 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2600
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=08D729157A0D4F0CB7700B5B790FCAA7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=08D729157A0D4F0CB7700B5B790FCAA7 --renderer-client-id=6 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2A96ACBEC6091B6ACCC973CBEED87214 --mojo-platform-channel-handle=2716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6a72a48e4eabee17e65ed070d011785a

SHA1
4da800ff233f84cf5716bcfd682646c56fe1f9f5

SHA256
6832ed3e99a04a960e2b501ed0f2bff1e6f4d8e59942572ae72a5a8d6015e202

SHA512
f65bf043557dce7c430dc6bff3d1187ed81801a8db224d422187219327e7b65ca581a561c5f2c72c5a4aac2123817c9ea5241359241b453828983b2a9ae9c31d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5ef57dd29f89d7e740947de9c36a3c23

SHA1
edec6b560ab4ed564463ca3dfe0aa975489ae0fa

SHA256
3d4ce1c4c28f6eed54c950a953c2b22ea786ddf4ebe050df9433c850414c98ef

SHA512
c5ba1b6608a96242e1072801c020921dc0bd4b1225f4e7e9b68071db80d1970181c31fd4c151ac695e8d14555dd114c5b15c07bb7b377b06e93be10b1c3b50e8

Download Submit