4c3d790cd1d2d9da3fd730a36749a2f243b81bcf07b7996da644b58cd0196f86

Analysis

max time kernel
103s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nezur_Interface.exe.WebView2/EBWebView/Crashpad/throttle_store.dat
Size

20B
MD5

9e4e94633b73f4a7680240a0ffd6cd2c
SHA1

e68e02453ce22736169a56fdb59043d33668368f
SHA256

41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512

193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.dat	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dat_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dat_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dat_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	AcroRd32.exe
2728	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2904	2568	cmd.exe	31
PID 2568 wrote to memory of 2904	2568	cmd.exe	31
PID 2568 wrote to memory of 2904	2568	cmd.exe	31
PID 2904 wrote to memory of 2728	2904	rundll32.exe	32
PID 2904 wrote to memory of 2728	2904	rundll32.exe	32
PID 2904 wrote to memory of 2728	2904	rundll32.exe	32
PID 2904 wrote to memory of 2728	2904	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Crashpad\throttle_store.dat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e4add23f6bb66068aa2cdfd02535b41f

SHA1
52bc7983743b3553b585bd8eef53235ee7992baf

SHA256
da9650af9d1ab8516c98be605e7f521f2a1ea4e238a8c8fd1f13d659cfda88c5

SHA512
024e4b268cf7842ee4f23463a7d03513ec67f264dfd646dd1a0c27a9e9c12444054d0c3d169c6aac1c4402564b0b09ed179fa435c5c91913900fabd5a9a33774

Download Submit