0eb9dba6ec07d3749d5b3beb97e0ae31e54ed311fcc210965270666d292cdd1c

Analysis

max time kernel
139s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8dec1af0755ae83540ddb294158b690_NeikiAnalytics.pdf
Size

520KB
MD5

d8dec1af0755ae83540ddb294158b690
SHA1

22a2636a7581b906f34fc2a64a260cb143866b41
SHA256

0eb9dba6ec07d3749d5b3beb97e0ae31e54ed311fcc210965270666d292cdd1c
SHA512

7814faffa0b58734f2e5f3fc57cf4f0c5c95353fcc2f833521d98e2dab3634dc11f956324e96a5dcdad59ab7fc7b55a94704e0ecac1d255f68363712a1241402
SSDEEP

12288:rej+Ys/IlaTSpoLfnAqFT82Vx2dXtkUQXVtfC5Jtu7lU0tdBjk:nY+I0TSpaAiVxhXVtf8J30tdBjk

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2620	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2620	AcroRd32.exe
2620	AcroRd32.exe
2620	AcroRd32.exe
2620	AcroRd32.exe
2620	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4492	2620	AcroRd32.exe	87
PID 2620 wrote to memory of 4492	2620	AcroRd32.exe	87
PID 2620 wrote to memory of 4492	2620	AcroRd32.exe	87
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3380	4492	RdrCEF.exe	89
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90
PID 4492 wrote to memory of 3908	4492	RdrCEF.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d8dec1af0755ae83540ddb294158b690_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C91E6B1559BF3F3571E4F544A0712B3D --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5B9CA4198C32FFF1575C0450A3AC0169 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5B9CA4198C32FFF1575C0450A3AC0169 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3908
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6089C644A583CFB3562DC08961910945 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2464
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F266FA11315BB3F2281F9E721D91A21 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:872
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B18148C5C25BC502356B898D17A3408 --mojo-platform-channel-handle=2504 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4144
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B549D7A66F97489A3127C33D96D49195 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B549D7A66F97489A3127C33D96D49195 --renderer-client-id=7 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:8

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
038b90282d5ef77561cda2351cbe5277

SHA1
3b4b739df5da53875d0d5466ac46decb548bdb59

SHA256
7ec72d1a6c89489e2858d3483629867f77deb7d86fc4198aaf45826a5c0da5bf

SHA512
826b433de87683eba973987ec5c9937a980a3393e1a3e6c2cb1bfdcdefa1ae7b767a9cc69c6e56b0079270b5a87dc94a4d4114165fd73b1ebeaee5d3185070d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2c890e078a64d76476231712fe7da17d

SHA1
6a4b2ba7019d39264a25d668ee1f5def1191f14b

SHA256
1428cba36a3c6b08f863587efac56f23f7d15fb2e1b1f7d53b005735edb6a7a1

SHA512
41d667e0d5c232c25a447c4b989dc7da03b48c8564e9ad45b9f5dc6fa13ce6e5789817fec0ddd5dedced970007c240c89d0f3b58211565616589cd2d3542f36e

Download Submit