1c371280ef5ddb832d5534e015869a5fe79a379649c64b69160533b81a219e46

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AIR FORCE/Attachment_7_-_Compliance_and_Reference_Documents_(DRAFT).pdf
Size

357KB
MD5

6cfcce9bb7c56da30e81bca075f0f2e7
SHA1

ba276b8427206ad7862af030ea9cc3fd27b33cd4
SHA256

3f4e2793786cbb1707e2bd405da4e874f5b5e62101cfafaa682bf88eb8c1d739
SHA512

15074210cd138b83d65669f44035c858f899f9dc376f3cafdf906a0218ba1f2aac11c269ebbc979e9fda5eee8be881676800ecc9f37f3fe8ab7efa060868ff7b
SSDEEP

6144:8LNyHaPTd2LM/hT/DR0nbn8svY5/d3rJkPUlf/ZLgt+FSvzLd+JRLfg8gwlUAu:aou+chTbR2b3MCUfgt+Wz5SgBOU

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3664	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3664	AcroRd32.exe
3664	AcroRd32.exe
3664	AcroRd32.exe
3664	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 2200	3664	AcroRd32.exe	88
PID 3664 wrote to memory of 2200	3664	AcroRd32.exe	88
PID 3664 wrote to memory of 2200	3664	AcroRd32.exe	88
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 3040	2200	RdrCEF.exe	89
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90
PID 2200 wrote to memory of 716	2200	RdrCEF.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AIR FORCE\Attachment_7_-_Compliance_and_Reference_Documents_(DRAFT).pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0058344F4202FD58CE38AD7FF797DC4C --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3040
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=618D925112C24990B87C763F917F7BF1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=618D925112C24990B87C763F917F7BF1 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:716
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=32731ED189DDE1A20EA22816C90CCB95 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D4F5886EF0B7A1DD966EB0F7E40CF78 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D4F5886EF0B7A1DD966EB0F7E40CF78 --renderer-client-id=5 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5F97C428A559827A711B25F8C146C08B --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3D3560CEE60326BE153FDF957B64691 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fc1f4376578df1a056bf40448383057f

SHA1
077857649567c8c7352258d82a1c8e6c894228d6

SHA256
704676ed85d060e722e02575be97ada97b1632fe20c97eedbc22cd7b38c18430

SHA512
75b7e732e7ca289ad8648990559afd45ae4cca2d3343bf0fc8f28867a9b78df64d1d40f1ba7508171df300553842e0c2c85dad33740f46007ca0c7edbccb9b66

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1702dde1c8db8a94aa9c8aefd51014e7

SHA1
33d6bddef2b46942b6e4c9c216ae3f7061784e43

SHA256
4786ad27bcc8c4847b6be97c844d040f98aee2098ca0a7e8dbc6f0c7ed868958

SHA512
7363c56a23ec00169ccbf41caed59d413493a3cc932f88a956c08c22973b86e0503e01e2f5f81e997a71cabd6ed037125c78b646da47dad975eb4feade6b63b6

Download Submit