f5130b7f56e9585fec62e97af6e46eabfdb74cb465d999663b88066bb8f1f060

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/Nexam.exe.WebView2/EBWebView/hyphen-data/120.0.6050.0/hyph-bn.hyb
Size

703B
MD5

8961fdd3db036dd43002659a4e4a7365
SHA1

7b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256

c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512

531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2852	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	AcroRd32.exe
2852	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2568	2220	cmd.exe	31
PID 2220 wrote to memory of 2568	2220	cmd.exe	31
PID 2220 wrote to memory of 2568	2220	cmd.exe	31
PID 2568 wrote to memory of 2852	2568	rundll32.exe	33
PID 2568 wrote to memory of 2852	2568	rundll32.exe	33
PID 2568 wrote to memory of 2852	2568	rundll32.exe	33
PID 2568 wrote to memory of 2852	2568	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-bn.hyb
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-bn.hyb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Debug\Nexam.exe.WebView2\EBWebView\hyphen-data\120.0.6050.0\hyph-bn.hyb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a81038ac7ea173c602d8a137c3356b0d

SHA1
fbc9fc84d326c660f34546be3fe7d9050e9e291d

SHA256
83b234075c5f776f0ea4676081c20c957ae509f607e53334352adf8dfcf42a42

SHA512
ae1a86b181db3e50b28a9c85580470b55de326abb247afa2b1c515ec8d9b8bb24bd703531f2a7911fdcb20c4ef483aaad30b4e51aa6c6ec7664ae30810ee94ca

Download Submit