f5130b7f56e9585fec62e97af6e46eabfdb74cb465d999663b88066bb8f1f060

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/Nexam.exe.WebView2/EBWebView/hyphen-data/120.0.6050.0/hyph-be.hyb
Size

5KB
MD5

087de134f3b23a9944afd711a9667a0b
SHA1

1b67d0a65ef91295207d66e62b682803aa74ef00
SHA256

25b7cfa039f82ac92990e1789de40988d490db9b613852fb24036b38ff87893c
SHA512

42c0b51e0e28109a7058d3fc03fa7bef8b25c9b3c8bb74933574fad06c061fd1636b53eeeacf652e438d4df08002db449681be9e6e6821ec23d32a8be1778998
SSDEEP

96:mmfvnESaDPq1iYM7N8gyurprJr/P5FwBlh/RT95vtEUnbpwROaQPP/KV2L+HCdYV:XfYPq1iYyNk5p50OwQPP/KV2L+HCinCO

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2652	2096	cmd.exe	32
PID 2096 wrote to memory of 2652	2096	cmd.exe	32
PID 2096 wrote to memory of 2652	2096	cmd.exe	32
PID 2652 wrote to memory of 2824	2652	rundll32.exe	33
PID 2652 wrote to memory of 2824	2652	rundll32.exe	33
PID 2652 wrote to memory of 2824	2652	rundll32.exe	33
PID 2652 wrote to memory of 2824	2652	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-be.hyb
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-be.hyb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-be.hyb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e2c9ee2b21161987c84045b6f537c0fd

SHA1
6d5d7277f0a8a3a87fc1592319f8fb70ecbaaea8

SHA256
15908c05a1335ecaff18cb7bbb9011b36256f37ec252ae0c6b1f9873a91f6ff5

SHA512
f593ec96a46142c49b118135a2906caed1e181b25df61e83c517d71efd29e38563aec5d6c6bdc85253c0639393bdaa0beae5ca10038bd8da6a81a97a0671e468

Download Submit