15fde2a1f86b0d7a0f0e066799a2bae855da7400beb75d9281d8443c5360ace2

Analysis

max time kernel
291s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 15:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Invoce_34125079.pdf
Size

30KB
MD5

adc2aee44b1c3177971667125be8affc
SHA1

a616d8e69be412df5999e78d0de34af7d05032ed
SHA256

9b12f04dcd7b7152dac6da5c7a37cd093e071da2eb1d5607649070b477612fff
SHA512

7c1139f0edb5e9454d56ad8bb02b351c8df95dc1172222f8611ba180c1bacec70fcb8c8c390b0ec8efdbc6c917c0e1ab205277e21a0fed42f2385f35a2d8b3d4
SSDEEP

768:PvZp7gR0u4hcOwZ+7FlpE15aXH9UCuPmBc+h:Php7+Z4DwM7FlmCXdUC0+h

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4564	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe
4564	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3356	4564	AcroRd32.exe	91
PID 4564 wrote to memory of 3356	4564	AcroRd32.exe	91
PID 4564 wrote to memory of 3356	4564	AcroRd32.exe	91
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 668	3356	RdrCEF.exe	92
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93
PID 3356 wrote to memory of 1832	3356	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoce_34125079.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58B868E91ACF5876E923D9ECF3427B4D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B06CA649A4D2790C0F25D2E9AB2D669E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B06CA649A4D2790C0F25D2E9AB2D669E --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9EF954ECF6D7489370F0840825CE0839 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2156
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65BEE7862E7B1EEBF9D673D087FA7484 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3592
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1CA34DE39B8BC449166AEDBF4912C8A5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1CA34DE39B8BC449166AEDBF4912C8A5 --renderer-client-id=6 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1BD1A78BF63538044B70C4C64C2795A0 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
cd308e41c311d8b2dfb2cca0bd933d00

SHA1
5ef06d90395792488fc83345e23ab1c8c706ca62

SHA256
895aa8d37a2ed32e2122f85a2b8d5265bc0e9317916d7cbd756b1b3f458eca20

SHA512
be8efa2320a626ba2ac2d49b7ada333562fe567e7f92835866fddf59edc8e768e39825dc92b03b3bbc796810946584b6d8ca0746a7fcef6b650cddd6a75ee821

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
937f7cc12d03177b23c7a33f983c0c8c

SHA1
87465057149cf66371c79a5c046c0409330e504a

SHA256
f712c316680917608d0572ef03585fee9d10bc055d1ec6a8e96ca1482898ce88

SHA512
0cc0628cf1003830b9e235d3930cb8f220affea695e20dd81ae6fbf0fcf642c2b22e578462936ab63bab96ad8bcb3a213bb61821c8b1e98d801a18d8284ab6eb

Download Submit