caae2093b54d6dbcd9cb28aa0c89f7b21a32be964566803d2a6e79efcf55c4f1

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unpaid-9714711425.pdf
Size

210KB
MD5

95984c5809efc414141c1e9e78354a13
SHA1

cd4db85b1d915c267825ae105449fc17b5d9dc4f
SHA256

caae2093b54d6dbcd9cb28aa0c89f7b21a32be964566803d2a6e79efcf55c4f1
SHA512

65d61ed3677609b65274b140ce3efe4e31cc1a6bf616aaf580df08ed4204625e0b97c75c69bd3b9aaa1ebd728c2b06275e82244525238726c1532164940bd414
SSDEEP

6144:X85ai3/or3B8Uii7rmHww2ArEJmR7uPdRSAJF/fwmU:X85ai3Ar3KkrmQw2A4OAdRPF/i

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3244	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3244	AcroRd32.exe
3244	AcroRd32.exe
3244	AcroRd32.exe
3244	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1080	3244	AcroRd32.exe	85
PID 3244 wrote to memory of 1080	3244	AcroRd32.exe	85
PID 3244 wrote to memory of 1080	3244	AcroRd32.exe	85
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 4764	1080	RdrCEF.exe	86
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87
PID 1080 wrote to memory of 2748	1080	RdrCEF.exe	87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\unpaid-9714711425.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EC4C19AF6DDA9A245DBE2E4C5BE39C5 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DE878F71946B3B9AAB306EA97008EDC1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DE878F71946B3B9AAB306EA97008EDC1 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9BC0BAB1965DCB04DA268FAE79683FBA --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2012
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=480C49FECEBD0D63B0BF0312E3C39733 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1464
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0269558B0755415653D67141406E17E3 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=88701B01D84504B9A781B9A4F721E2D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=88701B01D84504B9A781B9A4F721E2D9 --renderer-client-id=7 --mojo-platform-channel-handle=2472 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b11bb400a996d3b86251618e3a8f59e7

SHA1
6fbf8b17ffae7fc99afede9481276b90d6a917bd

SHA256
ce591384646395c6599bfc27b414560121c786c0372ec3bb8680a6c09a09061d

SHA512
c6d8af0c68820a52a411728f8eb89239b9062db56edaaeda5756952e104a5d78fa9b4759933e42760dc86b0c51a58402ec1f723e6fecdd3d2a7e90073eaca9ea

Download Submit