f5130b7f56e9585fec62e97af6e46eabfdb74cb465d999663b88066bb8f1f060

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/Nexam.exe.WebView2/EBWebView/hyphen-data/120.0.6050.0/hyph-af.hyb
Size

70KB
MD5

ffa9db945f0f0c15b8bba75a6e064880
SHA1

49217a9d5bb7a868464403b4e3c82e80df53456c
SHA256

5487ee44a4cd706d0086522e90c59c76cdf2ac68ce506fd3eae6054b9220c0cf
SHA512

cc67b2dfbbb009dd3fdb999fe86410425455613c12dac755a3cded435cd25ca4363782d70f3b7bb7c0fdd63e2eb649ae6a4053d929f463b646b43d7dbfda79c0
SSDEEP

1536:dH4Yzf/r1T2bhKC+wQ/MJ4tpBMfWDMxFaye3yrGZ3vGV9YODhX3yKfhGt:dxLr1qFKpNpufWIqye3KgGVnDxe

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1708	AcroRd32.exe
1708	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2724	2956	cmd.exe	31
PID 2956 wrote to memory of 2724	2956	cmd.exe	31
PID 2956 wrote to memory of 2724	2956	cmd.exe	31
PID 2724 wrote to memory of 1708	2724	rundll32.exe	32
PID 2724 wrote to memory of 1708	2724	rundll32.exe	32
PID 2724 wrote to memory of 1708	2724	rundll32.exe	32
PID 2724 wrote to memory of 1708	2724	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-af.hyb
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-af.hyb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-af.hyb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f3307f07d2069692b4a613c6d5190456

SHA1
49610c254f4f4a80161df647d31e1f9a6f35f1a4

SHA256
1b01c7dda3e2c75756a29e2f9eb5b9f4b9f3d215cad9af6f611654cfedd90c12

SHA512
498c5036d9139b5387382dec4880111a0710f2874fb7c2691aab074483ae030776028300f05ab7ae36ee415e06977c88802b49638edbccd5651de7b20024cdec

Download Submit