110ed2f09d165b3a7ebb28eaf7d1217069e352c82b6dde598ca6a70befb98d1e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 13:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StardewXnbHack-develop/StardewXnbHack/Framework/DefaultConsoleLogger.cs
Size

3KB
MD5

e2d58b031caa9a148feb22aad18a75ea
SHA1

c30f7dfbb0f35611582087789f3a8024b851a3eb
SHA256

79388a6ac3cb73c5cf7b6b6629fb6ad751d5a94fb73af9a5a6c9ee7b3e27d690
SHA512

6ed723388cb2878de7ed9ef33c745546cd2675108edaf88fda93d92163357861232079c2976851e2226e4220151b20767676029940ebb2669a3dce860f6845f7

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3056	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3056	AcroRd32.exe
3056	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3056	1904	cmd.exe	32
PID 1904 wrote to memory of 3056	1904	cmd.exe	32
PID 1904 wrote to memory of 3056	1904	cmd.exe	32
PID 1904 wrote to memory of 3056	1904	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\StardewXnbHack-develop\StardewXnbHack\Framework\DefaultConsoleLogger.cs
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\StardewXnbHack-develop\StardewXnbHack\Framework\DefaultConsoleLogger.cs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1ffa4b24a4bbfdf2f1fd5d033bb67bab

SHA1
08dc2c7830d10b83412f679fd1899131c977a8c5

SHA256
aa50ca21f8f91e94da26b3dfd160b508d8974df33c0687475ce6311685f7bae5

SHA512
b4b056e997843733379d8382d44f59433c7d0ef9b0480722aaaa16588118e04b39f229ba94430dec1b4d9b612c409637b08cbe1f5683e0e26560d08bd17856e8

Download Submit