fdd8621016f03117f812e5b32955ace923cdacd4daa22030df9e9f2b3397a7cf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6576f84fecf9e2b65fbd09fb5624fb9defe965b9be6377805999b432d79f95b6.pdf
Size

46KB
MD5

d9bef9f3443094d924d0101eeac908f4
SHA1

86359abd7e7b4f2918f71d47818f1c494c3ff8dc
SHA256

6576f84fecf9e2b65fbd09fb5624fb9defe965b9be6377805999b432d79f95b6
SHA512

ce8874b79236b83d562791bfec576307d1027951f97b09d96ab3986eca299dc3b3855ed90c183b0feb37b95c6b725a2dc8c2b7aeba8f677e4fe5bbc461adfed5
SSDEEP

768:tss2ZrNNJqeUC/bLufNa+r6X6dSMCz+MB1br9r879O/S0RjcgjgxGCGqdVkk44Av:gNie9XufNa+r+6dSMYP9rW9adc7xGFqo

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2180	AcroRd32.exe
2180	AcroRd32.exe
2180	AcroRd32.exe
2180	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 388	2180	AcroRd32.exe	83
PID 2180 wrote to memory of 388	2180	AcroRd32.exe	83
PID 2180 wrote to memory of 388	2180	AcroRd32.exe	83
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 3232	388	RdrCEF.exe	86
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87
PID 388 wrote to memory of 1068	388	RdrCEF.exe	87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6576f84fecf9e2b65fbd09fb5624fb9defe965b9be6377805999b432d79f95b6.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F671611F9F27987A8C77D9BF3E4163A8 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3232
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E5E7A57444DF859E402A461A4F26F081 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E5E7A57444DF859E402A461A4F26F081 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71BD1EBA7491B88F8081BFA1F82AB2C8 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3972
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3E4A0B191EB13AEE20C1125405C6DD53 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=25397F9D82620161D747B28A4C3B928C --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
27c602eddca56473e3091bba4dd0f70d

SHA1
1bc8b5793dc4ba6d1a878350384801d540723048

SHA256
20c3f8bc8de7b8b74ce3ede4b1d90ca6699d10fa090b90376bde8dc88bf02826

SHA512
14e0a94b19f378303df383aea3be4fdd72e7100092c4a1374061caed3af42a1b310ec0c17c67ea9f2b9135968ee81b5796d2ffd9f7e1e2fa3004985bd9f1c808

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
228acd21dd31ec6853cce3b85cdc037d

SHA1
d82bd9c087a3eaa7682c5e6b7d59d8f5cb5b638d

SHA256
1a166343752df1ea5296a11da6422902e3ee403c8d4affe11419a09ee216458d

SHA512
6db3fa995d79828a74d356186db2a0d530af85d05c5b5f6f4f1d3a4c86b035903953501f409bba86cab397bd35f6840afd172942a433f29503ed6eedb0ffd152

Download Submit