17861803b8cb268af90cb7f79a1e61225883ac936210adf525f773a47e765179

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_7200056161_0.pdf
Size

145KB
MD5

8035221224c348c2a0e6e695dbc17612
SHA1

ba66784122f94cde8b80355115dc389fc649aa38
SHA256

17861803b8cb268af90cb7f79a1e61225883ac936210adf525f773a47e765179
SHA512

335ce2feeae88f4dde16b3e716ef79c2a825dae56f293a553f5c5a0318847a989207a431f84df8abc2995061ad82059217ffbdef4db6738718200e0b17cdcfde
SSDEEP

3072:mXwcyjpFjZucb5K2UaeUJMaXpT4qducGY2j7XhZrMqdlMg/8:Rc8BZucb5KS5jx9YrfBl5/8

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3444	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3680	3444	AcroRd32.exe	88
PID 3444 wrote to memory of 3680	3444	AcroRd32.exe	88
PID 3444 wrote to memory of 3680	3444	AcroRd32.exe	88
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 1192	3680	RdrCEF.exe	91
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92
PID 3680 wrote to memory of 3096	3680	RdrCEF.exe	92

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PO_7200056161_0.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=128CAAA8D9710D50A0C11FA6F39BE1B8 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0E49E916C70C708161BE59EBC01E1E80 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0E49E916C70C708161BE59EBC01E1E80 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=573F2E470A6E35C1E6F58C3C94942F03 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4008
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=11DB66FA464A9CD8AE67DE75EFCEFD7A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=11DB66FA464A9CD8AE67DE75EFCEFD7A --renderer-client-id=5 --mojo-platform-channel-handle=1888 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4908
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D72535CF9EABD5614479701D9AD16164 --mojo-platform-channel-handle=2784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1968
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2EFD2725B088DDA44033CA6EDDA1B2D1 --mojo-platform-channel-handle=2756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9d6bd04995c1e0698112c0d4c82befc2

SHA1
0da1a42f824ca8e0dbb4427d7616666dbbf04324

SHA256
dff90704d3aba564addfbf75bfbcf04914b0bf4af9844d3284e1d8b65451e459

SHA512
5623797b2dc2230fe6fa0e56b6191cf2b58f62561ebb0f5b7e21733e04d4ac82f13c56c3bf0e426774d864df4988041eb72209c173b1fd562b627b3bbd525046

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c1e76680816791d71801ea57a7c86b8e

SHA1
d195e5bdfdc169a884e42f7180015db717bded0e

SHA256
b9ac554f63a32123f5818a1ca37963b50511c3ecc225aa4ef6881db737cc3ad4

SHA512
5abfbf7a7eb026f57527c0bf0162cd4a3a040e86ff323cb3dab23028c5acc8f1db2cd0e8cf1629642d126d7a2d3a267ff58bd01afe373e290f7ca5add72e4f69

Download Submit