f5130b7f56e9585fec62e97af6e46eabfdb74cb465d999663b88066bb8f1f060

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/Nexam.exe.WebView2/EBWebView/hyphen-data/120.0.6050.0/hyph-bg.hyb
Size

3KB
MD5

e8a4f8f5238f9a0ff6968ad8dba2755f
SHA1

abf002ff28b3aa2a59948225e5e600096348caa7
SHA256

7593f0395081e3eeb2d8516d10746608afd826cffd4e7e37d53936993d200a13
SHA512

b54811e1be6e63bf19e408ac4ae9da86e1473e4e8f1e9d517d907e025be20fa6979517339ec6defd0ec30613ed42a97d88111d39297214afa7606597cba5ea86

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	AcroRd32.exe
2756	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2268	2184	cmd.exe	31
PID 2184 wrote to memory of 2268	2184	cmd.exe	31
PID 2184 wrote to memory of 2268	2184	cmd.exe	31
PID 2268 wrote to memory of 2756	2268	rundll32.exe	32
PID 2268 wrote to memory of 2756	2268	rundll32.exe	32
PID 2268 wrote to memory of 2756	2268	rundll32.exe	32
PID 2268 wrote to memory of 2756	2268	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-bg.hyb
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-bg.hyb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-bg.hyb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cebfb5e1254e8ccd85de8187aade165a

SHA1
dec608bd7d18f91364927ce05846e03d21d29f40

SHA256
7bd20450b4dfa70ab33184f9e6baabc2d5c04ba6740b8ef02a89b7718baf3a49

SHA512
0aa12178f25b78dd73d12428ddeacac8112087fad1adf1e347d672acbdaa87aec70027ff239d02865bb6976677164e2ff1f1eb96b5789f18e3768da91feae499

Download Submit