51e6aebe4c253fb39aae33880847c92ae69487739e78152006a0fb840cacccb0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMOR.pdf
Size

5KB
MD5

c592dc81e8266380851ba4b32a8a8aa5
SHA1

ef5fc0a7ae98d26121b84561b3b7597450f102d0
SHA256

13f18cf6ced37ab7b9056b66b066ba3b1abb2ec2aa0cdda92d81089d7c39310b
SHA512

d0f77a2d53240d20708695ce8740668dbc45a55114d2077526e6e638f1b09560379231029084f5f3f5c07f4f62925b8808907c779442326d3a78441e0d20295f
SSDEEP

96:qlTOMp66EdSKvt9boiWLETfl+aet90lKkjwnVEtzasJ4d7TP:eOfL4gxoiWW4fti8kknONW

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3116	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3116	AcroRd32.exe
3116	AcroRd32.exe
3116	AcroRd32.exe
3116	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4640	3116	AcroRd32.exe	86
PID 3116 wrote to memory of 4640	3116	AcroRd32.exe	86
PID 3116 wrote to memory of 4640	3116	AcroRd32.exe	86
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 2728	4640	RdrCEF.exe	87
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88
PID 4640 wrote to memory of 1392	4640	RdrCEF.exe	88

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AMOR.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D2277699EC5B116121DEB35D627B008A --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=077392ABD13325D822B6D262D76E9E1C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=077392ABD13325D822B6D262D76E9E1C --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D94D7E4B5BA01E4F249354A1CA13FBA --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=945E606E80C946CBD74874428FCD2562 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=39F3E64F938EB12C1CB9470E2A6FD975 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=156283B5C78034E2B931122A63320265 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=156283B5C78034E2B931122A63320265 --renderer-client-id=7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ff26d0f9ab7d3da99f74c067cfab883f

SHA1
1744373baf6750d8a0858a064352c10c3e7cf8f9

SHA256
b459234e02e35a31862fe62cfa28752a001851c2aef8e2cccdd929e9d771c048

SHA512
b119a948c9b75f259d074c09c26f13cd400440b66a7464c2581a80a8c75b03cb013d2891a0f333b96471bc3e10495157b680bf770e9716bfcd13d4bec211e83d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
85a75810276d27c5aadd11a04c17db7e

SHA1
3d5db4bd4b7e6fb42c1acc4db80054366e65e7d5

SHA256
b17912a890f34d0b842eb683c56aae7b58ca155e27d64fb13ea175c96076faf4

SHA512
71aa1b0be4e4542af403b9c23f2357c4eacf8e739497e20dc4681793568b3896aef8c9972983030afec3acd27c02bff81bdf05088ebac6e63cfd4f79080d7583

Download Submit