05ddfaf42b83160700d167d7dc4e044af8af6dcbf68492b0db02c9c8b28106cd

Analysis

max time kernel
141s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a879bea2388152f5171a5806e799ca0_NeikiAnalytics.pdf
Size

84KB
MD5

2a879bea2388152f5171a5806e799ca0
SHA1

d9ff7581844cda76e5a076549779892b62d8fee0
SHA256

05ddfaf42b83160700d167d7dc4e044af8af6dcbf68492b0db02c9c8b28106cd
SHA512

6b4369939dc3af9146c090e60df6b66803d5b30460ddf0a55c9aa03cd94460ea669b91906ac13cf5c8675478822cb3afd90f5bccd9517f4920146fa25c2bddd8
SSDEEP

1536:VgSWF1jDtbqtQFxFXVRu137QQZeUzf/kXLWidpu+LNiefsGKqRbSWItJIGgeqHOY:OSWF1zL1/EMQoG/kXiJqRbSJIHeqN

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4880	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4880	AcroRd32.exe
4880	AcroRd32.exe
4880	AcroRd32.exe
4880	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3948	4880	AcroRd32.exe	93
PID 4880 wrote to memory of 3948	4880	AcroRd32.exe	93
PID 4880 wrote to memory of 3948	4880	AcroRd32.exe	93
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 2652	3948	RdrCEF.exe	94
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95
PID 3948 wrote to memory of 5048	3948	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2a879bea2388152f5171a5806e799ca0_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0FE24DBF0358284C08E4BDF39B2ED9C9 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=91730C60A0AE934E8FB7E21E41372FFD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=91730C60A0AE934E8FB7E21E41372FFD --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5048
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5448CE56A59958D3847982A957F39696 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5448CE56A59958D3847982A957F39696 --renderer-client-id=4 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D0959F03FB9D77E505742BDC7EC118C5 --mojo-platform-channel-handle=2704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3892
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F50DB67BC49F654A89B5771661F568B --mojo-platform-channel-handle=2876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1492
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA3DB0FB143DEF26D1D06CD870F6E66F --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
281e5e88a22501d723646486826eeb08

SHA1
6ec476a46b753a6fe06748ba00909c503a58fc92

SHA256
692d5d1ca47f865be403e6e3cbfea2b4fdc3cd57ea1b5b059c414b95e629c003

SHA512
f74bef55f4fb105378712b212b31d55c8280cb4c3df3bca7df7196305dbfac56f548d52b9f9e12797e92f1edc9e5c3a16f3b24f19da1457c3ed7370b714f99df

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
63665dbb59465ac50774f2bb3a3b2d7d

SHA1
002db24d366ad92b27c4b18d1a289a8a24628eef

SHA256
bd798fcd7d132f3da82b819eea778a501c7ecd4698d120769971f83c103f3162

SHA512
c37b0571cb8693dade0e4e1c343b1fcce0fdc60d0ad226c30a96c6cc6a829332be5c119ecf3138d5c5fa6c0ab1f557a68e68139f9d25c400ef7e3437ee872bb4

Download Submit