a6659e559b928d89655602db75505f7b1c765a11ba7af66f1cee9c9d02149562

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CefSharp.exe
Size

10.8MB
MD5

acff16b9fae109888d772998b91ccca4
SHA1

b580c68d4d2bf3cc26393728337278f190d405f1
SHA256

5cae75e6d6a6b249b2d977158998aaa514b8c917c313b5a0609c7b90b075ae50
SHA512

557aadc06ca2a961ca44b6e4f46cbe412d605dab2092bee16118baaa8a4a02eecbd746ba615d0af9eddd38ed67d81ef44dd1313956a32a4798a4018d24377962
SSDEEP

196608:4gavfJVzbFUbwD5PVO47xgO2JC85cikjYA/cmiV7ZNt/ikyM:hIhBbFUcBVO47xg/C3P/eJVyM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2380	evb9CDC.tmp
2924	xwormv5.exe

Loads dropped DLL 1 IoCs

pid	Process
2416	CefSharp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2380	2416	CefSharp.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	xwormv5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	xwormv5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	xwormv5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2380	evb9CDC.tmp
2380	evb9CDC.tmp
2380	evb9CDC.tmp
2380	evb9CDC.tmp
2380	evb9CDC.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2380	2416	CefSharp.exe	30
PID 2416 wrote to memory of 2924	2416	CefSharp.exe	31
PID 2416 wrote to memory of 2924	2416	CefSharp.exe	31
PID 2416 wrote to memory of 2924	2416	CefSharp.exe	31
PID 2380 wrote to memory of 2708	2380	evb9CDC.tmp	32
PID 2380 wrote to memory of 2708	2380	evb9CDC.tmp	32
PID 2380 wrote to memory of 2708	2380	evb9CDC.tmp	32
PID 2380 wrote to memory of 2708	2380	evb9CDC.tmp	32

C:\Users\Admin\AppData\Local\Temp\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\CefSharp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\evb9CDC.tmp
  "C:\Users\Admin\AppData\Local\Temp\xwormbin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\conhost.exe
    conhost.exe
    3⤵
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\xwormv5.exe
  "C:\Users\Admin\AppData\Local\Temp\xwormv5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\appdata\local\temp\xwormv5.exe

Filesize
14.9MB

MD5
6c59ff494f131d6e12eec38f2b0c4c55

SHA1
555c547cf314c867a71464b5b761c7f1d296df15

SHA256
19f9f28a04878d8a958835f5add563c1db48498309982afea1c2fd8a7ed8cc05

SHA512
f7a2d52aeea60d8d934bf042709bc3d00e224d0761480475609044dcd339e5927b546d51b2b23144074a70c76b64468a7b94246c254c63b5e5b1b44276cfd24f

Download Submit
\Users\Admin\AppData\Local\Temp\evb9CDC.tmp

Filesize
1KB

MD5
86d23632843c402a3a34828bb99317c9

SHA1
ee7082dcee56cb61d0cae037078efb2a4b32eaae

SHA256
eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

SHA512
9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

Download Submit
memory/2380-53-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2380-52-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2380-47-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2380-48-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2380-8-0x0000000000430000-0x00000000004D3000-memory.dmp

Filesize
652KB

Download
memory/2380-10-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2380-23-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2380-26-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2380-38-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2380-39-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-15-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-0-0x0000000140000000-0x00000001400DE000-memory.dmp

Filesize
888KB

Download
memory/2416-33-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-36-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-17-0x00000000035A0000-0x0000000003BE1000-memory.dmp

Filesize
6.3MB

Download
memory/2416-41-0x00000000035A0000-0x0000000003BE1000-memory.dmp

Filesize
6.3MB

Download
memory/2416-42-0x00000000035A0000-0x0000000003BE1000-memory.dmp

Filesize
6.3MB

Download
memory/2416-40-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-31-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-30-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-7-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-35-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-46-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-45-0x0000000140000000-0x00000001400DE000-memory.dmp

Filesize
888KB

Download
memory/2416-3-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-5-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2416-2-0x0000000077061000-0x0000000077062000-memory.dmp

Filesize
4KB

Download
memory/2416-4-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2708-50-0x00000000000A0000-0x00000000000AD000-memory.dmp

Filesize
52KB

Download
memory/2708-54-0x0000000001C20000-0x0000000001C32000-memory.dmp

Filesize
72KB

Download
memory/2708-55-0x0000000001C40000-0x0000000001C48000-memory.dmp

Filesize
32KB

Download
memory/2924-49-0x0000000001300000-0x00000000021E8000-memory.dmp

Filesize
14.9MB

Download
memory/2924-56-0x000000001C6F0000-0x000000001C8E4000-memory.dmp

Filesize
2.0MB

Download