110ed2f09d165b3a7ebb28eaf7d1217069e352c82b6dde598ca6a70befb98d1e

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StardewXnbHack-develop/StardewXnbHack/Framework/PlatformContext.cs
Size

5KB
MD5

7d531ae18a3ffafe30d07beece4d99fb
SHA1

098481b817bd766e37cc2fafff7496a0de60b54c
SHA256

944663afd7dfe205b0898ab9056cf4dedb2af5d31397a2179b18ff2f1ed092a5
SHA512

f4b328d0ee02b84b30bee3d31cee0e2bdfe3421b79dbe1183714c82a961d36b8262bbfbe85c29f67c874ff13d4b1a5a696a2f5a56958bd329f3ca1103c5a9d02
SSDEEP

96:Cj4YP27U7U2Ot/Xnt6q2NqNR1x6+v7Js722oqH42AVcwhqyqx64NdiINzyL:tDsOlt6q2NqNdVv7JsadqH4DKgqyqg4m

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1476	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1476	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1476	AcroRd32.exe
1476	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1476	3052	cmd.exe	32
PID 3052 wrote to memory of 1476	3052	cmd.exe	32
PID 3052 wrote to memory of 1476	3052	cmd.exe	32
PID 3052 wrote to memory of 1476	3052	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\StardewXnbHack-develop\StardewXnbHack\Framework\PlatformContext.cs
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\StardewXnbHack-develop\StardewXnbHack\Framework\PlatformContext.cs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4a5a22945ff028d0a9f7457b288c9818

SHA1
e0eff94760bda2a52f5cb375ee436866dcc95702

SHA256
63c20af1a42a0b5e74b76607ca2b5ff3909eeb275b90943479b81805055f5295

SHA512
3030cfc7962b35f56cc4bbab581022da99834c3cf8299e78c3f70aa722ee629f77267502f513d24d163bdd5927996607d61226d16b2975789061ba2d493370f4

Download Submit