d8ceabaa1b9a8af53f9090538814d8c20f676dd6d2c1b2cfa02ea3f8752f34aa

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34bd4e93f81f30695600dc1187a6fd00_NeikiAnalytics.pdf
Size

387KB
MD5

34bd4e93f81f30695600dc1187a6fd00
SHA1

9fe13117f11e5749d99ca1a53043939206c03a70
SHA256

d8ceabaa1b9a8af53f9090538814d8c20f676dd6d2c1b2cfa02ea3f8752f34aa
SHA512

5bf44d6069a5e070553a1e9170ea020efa236b6f157d44f4aed56907a36c2fe5d5b21edc7c8ae80f5eb74dd23a1aae113baf3327a3f79de09a076dff58e7b6da
SSDEEP

12288:77UrTG++5Q4p4S/a3mPe/607bq3FPDyRW:3UrTGRQ4p4ga3mPe63FPGW

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3176	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3444	3176	AcroRd32.exe	84
PID 3176 wrote to memory of 3444	3176	AcroRd32.exe	84
PID 3176 wrote to memory of 3444	3176	AcroRd32.exe	84
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 3092	3444	RdrCEF.exe	85
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86
PID 3444 wrote to memory of 1112	3444	RdrCEF.exe	86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\34bd4e93f81f30695600dc1187a6fd00_NeikiAnalytics.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6608C3445EFEB2B20E3D1A2AD8B89653 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4D6F03D9D79E877D824B9DD0F4C5E573 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4D6F03D9D79E877D824B9DD0F4C5E573 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CFF81D3E508B44096C98AE6A9EB705A7 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2496
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E910D8C04C6BBB68BF8FEDB034B36DE3 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8E0F093B870D1CC775C0B893E6B9BA87 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1916
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C4AE9F4357A66AC67DFD1078A7D10003 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C4AE9F4357A66AC67DFD1078A7D10003 --renderer-client-id=7 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2e11cbddb8647894802dd6c4b9a0bfa7

SHA1
88a5552fb3309afdeae464faada0e4fd2197934e

SHA256
d15c0542e30829672bcd9323345aacfeb75e7a9cfaf7533835b9d760cf59622b

SHA512
0bf97a02974261fd039560e05200585aa41306b16552ad5bd0b5630af53142f88ff73bd96fda35385deb1ddff847e08fb5a34645f5a40dffc9d43bb8e6ea97c9

Download Submit