f5130b7f56e9585fec62e97af6e46eabfdb74cb465d999663b88066bb8f1f060

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/Nexam.exe.WebView2/EBWebView/hyphen-data/120.0.6050.0/hyph-as.hyb
Size

703B
MD5

8961fdd3db036dd43002659a4e4a7365
SHA1

7b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256

c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512

531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	AcroRd32.exe
2820	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2812	2036	cmd.exe	31
PID 2036 wrote to memory of 2812	2036	cmd.exe	31
PID 2036 wrote to memory of 2812	2036	cmd.exe	31
PID 2812 wrote to memory of 2820	2812	rundll32.exe	32
PID 2812 wrote to memory of 2820	2812	rundll32.exe	32
PID 2812 wrote to memory of 2820	2812	rundll32.exe	32
PID 2812 wrote to memory of 2820	2812	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-as.hyb
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-as.hyb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-as.hyb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
78b8ee289bd8b889c616044db263c8a9

SHA1
d03b22e818f855d8ba80f94cde85b0dea331cc63

SHA256
dc772470024c4484186da4132d552626f108ba5f4b169060db2f3b13ab744a59

SHA512
ee719edcf204ef8ef75515d5951f898657375d8215cf5e85eea9ce073f4a89c68d54c51c33e0c9a1e056c26d6f4ce55f68014ba64100108da2e025b3ce0e5ae0

Download Submit