6dba900ba4e73e88cf3d3a062f71735f30e615436d01aa96d18545e97d31a5a4

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nezur_Interface.exe.WebView2/EBWebView/CertificateRevocation/6498.2024.12.2/manifest.json
Size

114B
MD5

e6cd92ad3b3ab9cb3d325f3c4b7559aa
SHA1

0704d57b52cf55674524a5278ed4f7ba1e19ca0c
SHA256

63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d
SHA512

172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2872	AcroRd32.exe
2872	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2704	2528	cmd.exe	32
PID 2528 wrote to memory of 2704	2528	cmd.exe	32
PID 2528 wrote to memory of 2704	2528	cmd.exe	32
PID 2704 wrote to memory of 2872	2704	rundll32.exe	33
PID 2704 wrote to memory of 2872	2704	rundll32.exe	33
PID 2704 wrote to memory of 2872	2704	rundll32.exe	33
PID 2704 wrote to memory of 2872	2704	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\CertificateRevocation\6498.2024.12.2\manifest.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\CertificateRevocation\6498.2024.12.2\manifest.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\CertificateRevocation\6498.2024.12.2\manifest.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d4a6b2892b8eaf1d41a8bd02c297f0c4

SHA1
e49314d5d948b479511376cffd8f52ca9955813d

SHA256
888feed6419339b0a3d43c3fbf8cfb65976e51a6a7fa3c709921dab5d60349de

SHA512
d2765a502fa341b1b76d032348e6ba2da8872d758496f7d4d94c5acefa709115e2d26a47c15904b5d0d18e0fd1c2600e8783077c12cbe1f89c14c2b6095ebe71

Download Submit