fb07ccd3cd253b4d549edc2eb5decfacffbb20f2246a6222ba8a75b3d243fb0d

Resubmissions

21/05/2024, 11:15

240521-nc2n7sbe75 7

21/05/2024, 11:12

240521-nbbfmabd99 7

Analysis

max time kernel
18s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Link Tekla Structures 2023-Midas 2023 - User Manual.pdf
Size

1.6MB
MD5

24899e1f625a97bcc6622969880abc9f
SHA1

95bd20f23da2728adf33d3642c34caf879ecde43
SHA256

bb1fd6989f8066342deedbfe6f69aeb57daaad22954c4d903e2fbfc741ab54cc
SHA512

1681feb463e94a2526f62c4bdc4934bb53b87352fb9161a5d55932c910d6a75239b2de2ce68ec52cc0e1633a6ce14c711498c64913829a236064679ab616d556
SSDEEP

49152:0SxO+GHYRWYulr5lh4mbIv2i0BzK6MGbB+8KD:AXHYR9abKmbg2i0xK6JI9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1552	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1552	AcroRd32.exe
1552	AcroRd32.exe
1552	AcroRd32.exe
1552	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1116	1552	AcroRd32.exe	92
PID 1552 wrote to memory of 1116	1552	AcroRd32.exe	92
PID 1552 wrote to memory of 1116	1552	AcroRd32.exe	92
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 4848	1116	RdrCEF.exe	94
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95
PID 1116 wrote to memory of 5024	1116	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Link Tekla Structures 2023-Midas 2023 - User Manual.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=154FD3F295F594F59FCBD1FFC72796B6 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4848
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D9FAA70B52309064EC1827036D135C3E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D9FAA70B52309064EC1827036D135C3E --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9FE33601AB8152363F4EC2DC389A838 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4364
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C90A63A4BB554DF3E17AE64434EE154B --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=825E512435D38B36425E05F4498E00EC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=825E512435D38B36425E05F4498E00EC --renderer-client-id=6 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0463649FA403610D386EDC9FD8DFD9DE --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e72d4f671cea952c7040f657fa19d764

SHA1
eba6122635a5893c54754a364934be5a1c66032b

SHA256
b9af29c4b91f2038e22f924a751eec94d154a36afd73a78355d91b4e2c92a160

SHA512
4643b97e82d6bd416236bda19df07a568e6646c4bc1f22b032381d4986f63b141e7e78e60069fd6e84df6903d1b8a9ca57791544029725f439c149e9f4be50ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
eed8ac12298a20536ec224df3ecfba0f

SHA1
210b8f06914576c561df34e881ba96bf9279c0a1

SHA256
b0bb287cf02a133f71f379515bbaae4d087118fb834e04c049dda7a31979e298

SHA512
ff7eb21878b141b78916ea27e80e20accee48b0ba858daab17c2d373eb9a328ccf490f584f5ab065ac23c207015e407e60e534076697b5fc96801a159f3c3797

Download Submit