66ef04c23eab69d897af250c822c66509d88d1b60da4d6b30707ffb8887ff834

Analysis

max time kernel
93s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A81QG2LO2BQPDZO0J.pdf
Size

46KB
MD5

0d78470dd104cb2071985a1952444052
SHA1

1fed79bca8bb95add24367994ddff27c0ddfe046
SHA256

66ef04c23eab69d897af250c822c66509d88d1b60da4d6b30707ffb8887ff834
SHA512

dfd21fee199412ee9e33e2bc3d918cd088db98eafc04224d90d0179b38be3bb6b129fcf7a940289d0c4cc520b0324e6eed38f619d8a0fb5b721bcfe1c7189722
SSDEEP

768:MX4nsDzBViSE2IAm8OW+AwgxCR/3tAayr23zu1JND4Ir0baxySkQxyYOMPqEp:1IzXiSE8m1bRKS3yJND4IrgtRsxMEp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4160	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4160	AcroRd32.exe
4160	AcroRd32.exe
4160	AcroRd32.exe
4160	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4720	4160	AcroRd32.exe	88
PID 4160 wrote to memory of 4720	4160	AcroRd32.exe	88
PID 4160 wrote to memory of 4720	4160	AcroRd32.exe	88
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 2456	4720	RdrCEF.exe	89
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90
PID 4720 wrote to memory of 3184	4720	RdrCEF.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\A81QG2LO2BQPDZO0J.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=690CE14043DE1B6D976E89C69C29E073 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B2B0B9329641851724D58B34A4B97532 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B2B0B9329641851724D58B34A4B97532 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E636A7799D519C6B4EEF40427C13DC13 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4000
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA0066611859BD8B0D3368194C599346 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2228
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=70EF508BAC1EF2BF5C97D1020FEAFA3D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=70EF508BAC1EF2BF5C97D1020FEAFA3D --renderer-client-id=6 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4712
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=37C9685C6EDD8B2E1FB07204B0F72635 --mojo-platform-channel-handle=2700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4a3cac93302bc5e5f2e51608a9c4318d

SHA1
b8b7e69ed981e4af54186a84ef626bea99297313

SHA256
32a8973885ebd7c01cdeb3eb83e50cf680ebeaf19663596366a9c2744aad2a1e

SHA512
b002b70c3679232a421165898a2e3518593bc3ed78f13cb6baece11d71d881c329eacab5cc36a952fedc313da1fa08a15dba17c0dfe4169171c81e2d51ad2961

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1cac1b5f2ec0fd8ef14b218039a1cc77

SHA1
063ba49c33b00bc3388758d55eb048f93f1a99dd

SHA256
2282ec3c57cb91b278eb140e0427a03571550a40a8645e17a00cd4ec79eaf3da

SHA512
a8f4f8375591cf206bb67f91392d62eb7858a588e2c38dd73ca51644b194e1334848fab43998ab2b3996166483d07f4e05d49eb319503a4fd6013f8838aeca70

Download Submit