0bf9e8351bcb7aa91695d546d34c38de38adcd9318327fb072d45c4bf2c1587e

Analysis

max time kernel
134s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/08/2024, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

&QL1dpJ_invoice .pdf
Size

71KB
MD5

7696fa30a9d4e6a7d77d9fd19e964e67
SHA1

dd14c5af16a3e62f849d5e350035600699668979
SHA256

0bf9e8351bcb7aa91695d546d34c38de38adcd9318327fb072d45c4bf2c1587e
SHA512

73416c690c46f3c309b2a1e6cea018712426c369e024b008c5b503bed6649d986e4bf893c0fa99d10a1ed8be4885977616c68a3911ea5d801ae183075b0c89f1
SSDEEP

1536:rDFTOYk0aRHa2RmrsICi6V9+7/EXdheZ5HmUxkweraORP2a27:Fk0yHHtDZV9+7/QeVxkxrLN2x

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
204	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
204	AcroRd32.exe
204	AcroRd32.exe
204	AcroRd32.exe
204	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 3236	204	AcroRd32.exe	74
PID 204 wrote to memory of 3236	204	AcroRd32.exe	74
PID 204 wrote to memory of 3236	204	AcroRd32.exe	74
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 2036	3236	RdrCEF.exe	75
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76
PID 3236 wrote to memory of 3268	3236	RdrCEF.exe	76

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\&QL1dpJ_invoice .pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:204
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=786CB98DD09EDE70E357445E78EFC0AC --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=54FAC5B34CE9DBB81EF07575C88F5C92 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=54FAC5B34CE9DBB81EF07575C88F5C92 --renderer-client-id=2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=64E3067D27D2B3EB961C09E600189009 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=64E3067D27D2B3EB961C09E600189009 --renderer-client-id=4 --mojo-platform-channel-handle=2228 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A9A30056398D87CC1C06CCC8626A866 --mojo-platform-channel-handle=2252 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=061A69A3BAA48E81C41C4B3E69C51E0B --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38E678CE61166AC4C800226458DDDB7B --mojo-platform-channel-handle=1832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b776c259f7c40d354b8a97531a29b23e

SHA1
9c569b9c6f05f82aa8695314f800771ad0c26fcc

SHA256
bb5f5db77368d4dcca5000d843013441adc1bf0780629a12a138885e41c7c879

SHA512
eaf2e5d838280a8e3b3f5aa89942b476f34608f4ea6fa9bfe9ca40f2701d9fa88151ada479eb200ad77a7ab2cdfeed0e25ae28c1e0be3ae3c0f3a5831b1f399d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
76cb7a1a20ae2bc0a145f8749bbe1aad

SHA1
e5b34a633dced95505321705cf78513bdf560301

SHA256
ce8ab5468ac03ed1ff65c4cc80a361cfb1da1d1f4e5f8c7a97b84164224a14d3

SHA512
e5f191f4ffb6bc078a77e6c268fd09a2b779404672234084dd3b061005a9a9b69041866f4c6981c4b57b68a4c534fe6033288853f49d10cb697741670fd66085

Download Submit