54b51bf19ffce063577597534e1658d25e5756072366cceafec91af5d7382f4a

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V1.5.6 + V1.5.8/SecHex-Spoofy V1.5.8 (testing)/SecHex-GUI.deps.json
Size

61KB
MD5

64ae126cf65a9096d5730e060b448293
SHA1

621bce8056a378974cc38788bee2c3079aec7a87
SHA256

a4cadd5c4f3922a4ada9e4bbc13e2bd779280a9b8cf537b66475fb3559bc7122
SHA512

8eb0dd523d91555ff65681ebb2d482e86e8ee5c2a8842fbbb479d164981d3d398308d335f8c3ba813007c16bf738c7ae72e4eb3c9d3ec92f4f09312e09261dc2
SSDEEP

1536:9+lcu7Ll5JBuR6ML1O/1u33ZHZsSGKm6Y8:8lcu7Ll5JBuR6ML1O/1u33ZHZsSGKG8

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	AcroRd32.exe
2600	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2176	2984	cmd.exe	31
PID 2984 wrote to memory of 2176	2984	cmd.exe	31
PID 2984 wrote to memory of 2176	2984	cmd.exe	31
PID 2176 wrote to memory of 2600	2176	rundll32.exe	32
PID 2176 wrote to memory of 2600	2176	rundll32.exe	32
PID 2176 wrote to memory of 2600	2176	rundll32.exe	32
PID 2176 wrote to memory of 2600	2176	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\V1.5.6 + V1.5.8\SecHex-Spoofy V1.5.8 (testing)\SecHex-GUI.deps.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\V1.5.6 + V1.5.8\SecHex-Spoofy V1.5.8 (testing)\SecHex-GUI.deps.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\V1.5.6 + V1.5.8\SecHex-Spoofy V1.5.8 (testing)\SecHex-GUI.deps.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6ed6f4c9ae6dd0129772b46c4d4b4c0a

SHA1
9566fbb5dacd5c22771a0f09edfd8b0162928562

SHA256
1b2fd5a07eae56d7f32977a7ce3a5dbb5a1235cf683066773207f09f55d576fa

SHA512
15f985a7c8865914239a607a529e97a9012946b76d709383de50eba15a1176737708af92c493e083161ccbc890d2309a0cb699b708a82d95af168d29ccd7cdf0

Download Submit