0d37ccd92d8b374e5c8ccd05d172719b044eecdba6e24c0f5f82940a4c358ced

Analysis

max time kernel
139s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d37ccd92d8b374e5c8ccd05d172719b044eecdba6e24c0f5f82940a4c358ced_NeikiAnalytics.pdf
Size

143KB
MD5

198783008dc9152e2f960139fd14e2e0
SHA1

5fe817824ed3899590c2ae1708482d3c08e76e69
SHA256

0d37ccd92d8b374e5c8ccd05d172719b044eecdba6e24c0f5f82940a4c358ced
SHA512

aa8109dca543409a338facef14e8446158aad04fda3fe7879f9d618c6fd0ae221dafccf09976e0e648bced02dc37a2cb2f0bce2e2cffac71135972d48115fdab
SSDEEP

3072:5tdaWCTPj1G9wRo4/mkH23gHZWK6KGGDmPlBwqYKwvSOdW7R8wwm:5td4F8wRoumkH2wH2fwvbVSv

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1836	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2328	1836	AcroRd32.exe	87
PID 1836 wrote to memory of 2328	1836	AcroRd32.exe	87
PID 1836 wrote to memory of 2328	1836	AcroRd32.exe	87
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 508	2328	RdrCEF.exe	88
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89
PID 2328 wrote to memory of 3216	2328	RdrCEF.exe	89

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0d37ccd92d8b374e5c8ccd05d172719b044eecdba6e24c0f5f82940a4c358ced_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9DE43E853FC8A0022598B0821E487BFC --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:508
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=951F54CEA93CCD62479E0A032AD4DF2C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=951F54CEA93CCD62479E0A032AD4DF2C --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B2583C3330A7AF91BEF4FCD628762708 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1628
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E7FA036E08E08433805D185BA9F6C3C3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E7FA036E08E08433805D185BA9F6C3C3 --renderer-client-id=5 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4264
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BFC3B73688CE2AA6672355F73802083D --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=364E05F39EF856D940B060029DAAFFC6 --mojo-platform-channel-handle=2876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d5b49fa581835612a8e3678798fddb91

SHA1
2b72e51a310aacace61a44883ac5cef03b4bdda3

SHA256
f4f2875bd28330abdced1c64c86ef520b00e31ca3b3b86a9c8de52df07eb810a

SHA512
f38d4c4daeedf8782d318d736276f19d3aeb34a68ce36e1a6cbe2a8bc339c3e9d4d27bbe462b7027a399d0f23ab032bfec2a61caeec03b891328ea10638b3550

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1e756d83fa88566d576f537ddad01eb9

SHA1
5054271023cb6c2f93037513b6357a3e8be7633e

SHA256
37bb78da68688ee9e4d18853a4b73b7583ffcf6cb5f51b369a28b21280b60a4b

SHA512
9c5cb73ed9ae7bd43c312a842dab9876d904297b35f40c5118fe717b98ac24ddf6a20032d65bfb429d48527688391b94e30c1b9dd126e633c92bf9cdaa44aaa4

Download Submit