Resubmissions

12/10/2024, 10:59

241012-m3mgja1frq 6

12/10/2024, 10:54

241012-mzm9na1fjj 8

12/10/2024, 10:51

241012-mx9pwawhjg 7

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 10:59

General

  • Target

    net8.0-windows/Xeno.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/manifest.json

  • Size

    134B

  • MD5

    58d3ca1189df439d0538a75912496bcf

  • SHA1

    99af5b6a006a6929cc08744d1b54e3623fec2f36

  • SHA256

    a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

  • SHA512

    afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Score
6/10

Malware Config

Signatures

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Xeno.exe.WebView2\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\manifest.json
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Xeno.exe.WebView2\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\manifest.json
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Xeno.exe.WebView2\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\manifest.json"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    169ba782d8cec26bd21af3fa13bbf035

    SHA1

    bb1ee2b401c21b56f490a4f39478d635f8b4c87f

    SHA256

    f73f16c442221de33395c6fe275148968e46dd54f219f6a9af4a45ebd29f7b3d

    SHA512

    8aeb5d5691249a8504dd0854f4823967d361801706bdabb592f512e88db1ad4b9ab6fba0b20c553e00d51a6e97fe9397fb0cbecd2ada0be1dd950c7d6c102e84