49acbf1c80eb1ab0b59cfab2164211faa2fbf66cf0d01ad4915c662d54b9c5b6

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28.06.2024 1. Mahnung.pdf
Size

211KB
MD5

dad8de027e453274b42b0971bbfe87c8
SHA1

e4fd42b0bcb9f8ae01e18d6fca69d4251e743fd9
SHA256

49acbf1c80eb1ab0b59cfab2164211faa2fbf66cf0d01ad4915c662d54b9c5b6
SHA512

2f710c5acd598e930270065d97f12b6b5881d79fefdde7ec91788758255da7f67e8e9f7b8fe384247e75a6799621b19a16f80672a29b3e6a3e06d13c14162d0f
SSDEEP

6144:4AGvL+vKJm23xvGZbNkPmtE3QgaZ3B2NkV:4L+vKZvGZbWPfghR2NkV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1544	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1544	AcroRd32.exe
1544	AcroRd32.exe
1544	AcroRd32.exe
1544	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 3652	1544	AcroRd32.exe	85
PID 1544 wrote to memory of 3652	1544	AcroRd32.exe	85
PID 1544 wrote to memory of 3652	1544	AcroRd32.exe	85
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 1316	3652	RdrCEF.exe	86
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87
PID 3652 wrote to memory of 548	3652	RdrCEF.exe	87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\28.06.2024 1. Mahnung.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5AF3D23541610EF77765413D8740C0BA --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1316
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CD513C6DE80920ECC3B7AC300C432164 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CD513C6DE80920ECC3B7AC300C432164 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE7B24AAD59B7B20E9CB8E86D77CBCF1 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3C20E6F77569882DFBC16415D1C607BD --mojo-platform-channel-handle=1852 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5020
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=73BDB1DF27C35398B957D3E3D09F9C06 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=73BDB1DF27C35398B957D3E3D09F9C06 --renderer-client-id=6 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A82039CE91ED05745D715D53F99C734 --mojo-platform-channel-handle=2712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
67c1fe29b4260d34a7b5c244fedb5720

SHA1
073841a293b2315a555492bdc453264eda917ba3

SHA256
3771ed2dc02c3bc316c20d04702cad485195c98f2299658ba6d762589000a155

SHA512
39031acbc55c8a974803306a66113fbf9bbd4c3522f8fac8957a384be623cd63f94684edbaef00d042799c5cd7ed734fe7936138d6335b7314514d95761cddfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
45c05241b8c7e37813be88cd19845ec2

SHA1
c2fc8c57e7bb8608469396a98aa0016a3804dbb0

SHA256
c44b98c20c8444e401c49df52fb8655e3035496b9258cf607b11bc4ae26edf88

SHA512
1d584136421feb23956fa72ab74934055c9c0fc9920ca18e8ad450fbd9d37ddfc5d8794fe8ef60772f2738f636d8a9fea65e8190a2049d3fa0b7ec698dfae692

Download Submit