ff320cb28d20844a224c2d537341bb99e80a08ac11c783eee8b1115ad659ab1c

Resubmissions

01-07-2024 02:39

240701-c5m6qstdqe 4

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Benefits & Compensation Letter For Skgcs Ops_GTDEFPPKILJROOT.pdf
Size

29KB
MD5

b603adccb7e31a4941c456a8f4f9ab3a
SHA1

1bfb0faf333b3ae1f3f4af68b71621a47a4f483a
SHA256

ff320cb28d20844a224c2d537341bb99e80a08ac11c783eee8b1115ad659ab1c
SHA512

bfff40882efda50e6fbac035f6a171da3da49d91c8c9fc7ef57c4652261c1180b340b2c0a273b50ad8352c18bedd9d8ab86dcade87e38036ad419c18718927c7
SSDEEP

768:Bs97XcbPttWmGN++w7w8OsuDC8WRKrQlsq3Dl5ZD:B+XpS7w8z6Wg0SIDrZD

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2588 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2588 AcroRd32.exe
2588 AcroRd32.exe
2588 AcroRd32.exe
2588 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

pid	process
2588	AcroRd32.exe

pid	process
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2588 wrote to memory of 3388	2588	AcroRd32.exe	RdrCEF.exe
PID 2588 wrote to memory of 3388	2588	AcroRd32.exe	RdrCEF.exe
PID 2588 wrote to memory of 3388	2588	AcroRd32.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 3672	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe
PID 3388 wrote to memory of 1560	3388	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Benefits & Compensation Letter For Skgcs Ops_GTDEFPPKILJROOT.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C9E7C0D7A81C23C303229F91C4D7814 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3672

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EF68B3D5A851D3844E3F224AF8508990 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EF68B3D5A851D3844E3F224AF8508990 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F5036FDB3FA998F76B2352FDD25C302 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=324E9458D583BB3D4CCEF3D849224D1F --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A256EFB96BE116E93E5991086D456766 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BAB0870C81314A2A219D6163E8542156 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BAB0870C81314A2A219D6163E8542156 --renderer-client-id=7 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
5abe0d21f0a0b51c583627b77e6e0498

SHA1
8e26165253e9fa1ce356c0aa6f3860ceaeb43c3e

SHA256
36ee3cf24ee24db80f7986b4ee07efe31b5b4b66f50657ed3b2372e38e0c5aeb

SHA512
e67c5042fe54aa5c2370da549e97ac420e35eae9a37b397854368e4a18b786e92063e717301a1bc5793251784c883e9547b99912824e657a1065e41854e79615

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
6ef4b65136ba38f77153ab288e923660

SHA1
f2d862e07d621613c4ec6600a74a1cc3a800d9e0

SHA256
fa772b6f54b1cbf77fdb42f007c8856c469e770ef75bceca46759fc1161d5dc0

SHA512
9329872dad20639410d10d6c3bc3c0944609069ab7ddb021b65d65a2071a1e02abec550afde0d2cd1b87dbef98f45a94bcf167c4fdfa9187268587f74cd30379

Download Submit