d16cae1786f201a673eeb494919d7d14beb56bbbc5e4f808c50f28516e24907d

Analysis

max time kernel
139s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document.pdf
Size

925KB
MD5

627ef0f9c2af3e5d48421259dd679b37
SHA1

c7d82fd87fbf695093503d3e84f2d05740665955
SHA256

483df3f3be2a04efa29d9c74fcbd906f1a9f9eb7fb9b938d26bfb047c18ca9ff
SHA512

dcde2383f9b2ecdda89b695f0f4cb9fde6a9f193b6e5907150209c3cc7326530eafb80b22d5aa43831457c195249df2887a1a173232aa79e63f14858902f2e0b
SSDEEP

24576:Ax/s1L5nLjweH9/1gr47J6UAohR6vRyf+dE9w87TDZ:i/snLj5H9/1xAoP6Jyf+dE9wSnZ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
404	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4984	404	AcroRd32.exe	86
PID 404 wrote to memory of 4984	404	AcroRd32.exe	86
PID 404 wrote to memory of 4984	404	AcroRd32.exe	86
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 5004	4984	RdrCEF.exe	89
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90
PID 4984 wrote to memory of 1580	4984	RdrCEF.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\document.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B696CBCD3A3C0D670F19DF4B881B706 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5004
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=886E7A3631C3D505A7E60790D039B5D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=886E7A3631C3D505A7E60790D039B5D8 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1580
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B43D9D559F58B9AC83B656883F5994E --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=739C5C960B8D0B0249D46BFC5E5FEDE8 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=68F846EC063B9175851D0B0DC6E6777D --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2452
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0364B76C610357C869AF0487C632C822 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0364B76C610357C869AF0487C632C822 --renderer-client-id=7 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
33ba56d3ed59d950ae50b99f22c3da6a

SHA1
fd5363397fbb8cb2564d32c3a33e1c8fa28ffb4d

SHA256
59e26d970a847b36770d17af956b46e169931ab5265acf90e5df734fca2e6c0d

SHA512
17990103771749fdb408e0b930cca3755821de19063e1cac79a28ba0db8322dca7cbf61a7571634661006434e1d9c3cc1e225a28abd1c03a3875421d9a794660

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
283bed92190227b8d7ccda19debb4d01

SHA1
09b50be8275542ddd8a8e0232170785cde167ca3

SHA256
0931eedf03d4873b708bcc4920d4e1ee2ee4cd0e0d39543c8ddf1ee341e63e86

SHA512
17c8094a1c6d24afe786370c70182fa108f4f6041007e3d67d30a9b5db01c12b05fba471196c3fdda8aa99677923821b19b325b05d42026177df3caad8d48744

Download Submit