xworm | 294844c94484fc0763c2d56b7e0565da45f4b0dcd41a5b879d1a02a547308d5d

Analysis

max time kernel
294s
max time network
297s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skleika.exe
Size

2.6MB
MD5

94eaae4cf437c5febfb355a573438353
SHA1

1fcbe61d5aa981d368855856db0f4bad301b9caa
SHA256

294844c94484fc0763c2d56b7e0565da45f4b0dcd41a5b879d1a02a547308d5d
SHA512

b7986182ee0a3b5de1c8b4d61889b046b4e26395d9a528a6918b620e03f3f6f7f2f273769bc8210d93f97013dd6f18a3d352b32df14dce3a98b6ddf6daa9c931
SSDEEP

49152:1Djlabwz96JaW7icYCrA6ugdyO/riiS00Zuev7co+66AIqpb0MzokbJDx:ZqwURivCr1a+rZNevwofP+0JDx

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

consider-catalog.gl.at.ply.gg:61770

Attributes

Install_directory
%AppData%
install_file
bebra.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000002a98e-15.dat	family_xworm
behavioral1/memory/3488-26-0x0000000000D20000-0x0000000000D3A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4652	powershell.exe
1324	powershell.exe
1692	powershell.exe
3048	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bebra.lnk	bebra.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bebra.lnk	bebra.exe

Executes dropped EXE 7 IoCs

pid	Process
928	impact.exe
3488	bebra.exe
4064	bebra.exe
1736	bebra.exe
4164	bebra.exe
1272	bebra.exe
3152	bebra.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4816	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\bebra = "C:\\Users\\Admin\\AppData\\Roaming\\bebra.exe"	bebra.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1608	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	powershell.exe
4652	powershell.exe
1324	powershell.exe
1324	powershell.exe
1692	powershell.exe
1692	powershell.exe
3048	powershell.exe
3048	powershell.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe
3488	bebra.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	bebra.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3488	bebra.exe
Token: SeDebugPrivilege	4064	bebra.exe
Token: SeDebugPrivilege	1736	bebra.exe
Token: SeDebugPrivilege	4164	bebra.exe
Token: SeDebugPrivilege	1272	bebra.exe
Token: SeDebugPrivilege	3152	bebra.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4892	helppane.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2104	javaw.exe
2104	javaw.exe
4780	MiniSearchHost.exe
3488	bebra.exe
4892	helppane.exe
4892	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 928	3152	skleika.exe	76
PID 3152 wrote to memory of 928	3152	skleika.exe	76
PID 3152 wrote to memory of 928	3152	skleika.exe	76
PID 3152 wrote to memory of 3488	3152	skleika.exe	79
PID 3152 wrote to memory of 3488	3152	skleika.exe	79
PID 928 wrote to memory of 2104	928	impact.exe	80
PID 928 wrote to memory of 2104	928	impact.exe	80
PID 2104 wrote to memory of 4816	2104	javaw.exe	81
PID 2104 wrote to memory of 4816	2104	javaw.exe	81
PID 3488 wrote to memory of 4652	3488	bebra.exe	86
PID 3488 wrote to memory of 4652	3488	bebra.exe	86
PID 3488 wrote to memory of 1324	3488	bebra.exe	88
PID 3488 wrote to memory of 1324	3488	bebra.exe	88
PID 3488 wrote to memory of 1692	3488	bebra.exe	90
PID 3488 wrote to memory of 1692	3488	bebra.exe	90
PID 3488 wrote to memory of 3048	3488	bebra.exe	92
PID 3488 wrote to memory of 3048	3488	bebra.exe	92
PID 3488 wrote to memory of 1608	3488	bebra.exe	94
PID 3488 wrote to memory of 1608	3488	bebra.exe	94
PID 4892 wrote to memory of 5040	4892	helppane.exe	105
PID 4892 wrote to memory of 5040	4892	helppane.exe	105
PID 5040 wrote to memory of 244	5040	msedge.exe	106
PID 5040 wrote to memory of 244	5040	msedge.exe	106
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3864	5040	msedge.exe	107
PID 5040 wrote to memory of 3984	5040	msedge.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\skleika.exe
"C:\Users\Admin\AppData\Local\Temp\skleika.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Roaming\impact.exe
  "C:\Users\Admin\AppData\Roaming\impact.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Roaming\impact.exe;lib\installer-0.9.5.jar" io.github.ImpactDevelopment.installer.Installer
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:4816
- C:\Users\Admin\AppData\Roaming\bebra.exe
  "C:\Users\Admin\AppData\Roaming\bebra.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bebra.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'bebra.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bebra.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'bebra.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "bebra" /tr "C:\Users\Admin\AppData\Roaming\bebra.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1608

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Users\Admin\AppData\Roaming\bebra.exe
C:\Users\Admin\AppData\Roaming\bebra.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2500

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528882
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf8a43cb8,0x7ffdf8a43cc8,0x7ffdf8a43cd8
    3⤵
    PID:244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12961697910211932359,13289377962938101097,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12961697910211932359,13289377962938101097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,12961697910211932359,13289377962938101097,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12961697910211932359,13289377962938101097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12961697910211932359,13289377962938101097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12961697910211932359,13289377962938101097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
    3⤵
    PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4652

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3976

C:\Users\Admin\AppData\Roaming\bebra.exe
C:\Users\Admin\AppData\Roaming\bebra.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Roaming\bebra.exe
C:\Users\Admin\AppData\Roaming\bebra.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Users\Admin\AppData\Roaming\bebra.exe
C:\Users\Admin\AppData\Roaming\bebra.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\AppData\Roaming\bebra.exe
C:\Users\Admin\AppData\Roaming\bebra.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4b6a9d1e2998d7df50f1e59b972183f5

SHA1
8f349e5ce5cfba4663a34429f6abbe67a0061c2f

SHA256
98a3099be8881eefd07bf0d7f9a9c2aa00775c1afcf673998b0859c115b049ed

SHA512
bbcb92beb7e97e89fee76d2894e24e76f2e07be3eb8b821e438309e14100a5f8d62684d34c5dc9c468829e545e0d2fc61191fbfcbc5f3dca9f9d06a9faed23f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bebra.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
8f3cf07a9f23d208d91f9b06ba6d57c2

SHA1
9f50705c66bc9ae718ac9191bf7a054a1715fcc1

SHA256
0d7751a7e64cc8f6c400038ebf3f41a19722f5a98b634bff52cb25bc5ca9519c

SHA512
68aafca10860e47f2855e3e2637e46014fc7e96e14d3965fe1033350395f22777cecf0b5de9f0ac15fe9c55613552a969b45157fcbc6a0567ce6415bcf6db9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
248B

MD5
63f42f1c79e98255682111419bced474

SHA1
392a69cc46c562c9e64eca8816292a2fa62fabea

SHA256
b4961ea15fb968ed3aaa6eb5241233e07e85721d48a2448648f641f433064362

SHA512
fd54189b134af5d282743f6572bc86af41ff43e8f5c034c9c58cb96c3bb9160c8fe356c8d833ae96019b9834c5ac4c00043a91b97e8d3da6cac055605fa2e7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bc20eb5d98c3834fb90fa126654e7dc8

SHA1
6bc3d2b680589b4db09dd72fb1f6ca6d277b57f7

SHA256
3093a4b775718ea772dfedca7b232dabdae291273e76756e47c08dfd99bff2c8

SHA512
108bebb5d801ce52b9633458b8906b28edd16ecdbe117208d11c92a77544d66f5cf143a89178b36a3ac303db2a589e3aa7cb6a8cc28b06775a73c5917c0c7258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff58dafcb8c84e7a850f31e723902046

SHA1
6abb9be93fbf69b955920c29ad3ffb87746c0e72

SHA256
de866a8088fc4b614ef04856fa7790a77ffa890bdb0b145939611a6c35a843d3

SHA512
8c1992e4adfa977867108155627e327349214fe7003000c5e3dd644c4e87af307aa3fbd303abd5c96248bfc80721c7e72b40a0ffcf4e2ae822fae674ddb0e56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75c7d0a46fa4d8962159ee37be668a0e

SHA1
848481b1988a0a7fecd88fa625888c93c5c19c49

SHA256
c744157334fbe29a6f3e1744d19cc21c4071e05b481f68f086169adb419cee02

SHA512
d049f5cca3969217635a4dc53fd73eb03ce3350b1b0bec10db7a26ecd64d2ab2c100819c27058528388a394ef84e037494c9f0407966cbd72e37f1af852f31a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
bca013349ea9cbfeae8a6a2fcfc0a968

SHA1
e6e8031627dd6efee732345a879d37bb8f5bbb62

SHA256
72996bfeb0e86a9816bd2521deb29d43117b8ea2dd12e81e002222131a40b672

SHA512
6adc3a35c751ee3aec51ffc33c00113e5c795b7925ea31cd9f412b386a9e1fec54b89a665678ce891e6877f01f981aa5c1c19a24fc9ee8687e8b72a39b4478e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b41x0vsx.qiw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\bebra.exe

Filesize
75KB

MD5
2fd31aaa38c67321efb5f31b5659837c

SHA1
edf64ed1bc8dda641051df0d3ed652850d1a9d4c

SHA256
dc5e324b65dcb96caa598f6080a2c3ce7bc95634890fadbec3411d0fd7764362

SHA512
24dba2d242a86763ae7b79d4fe54a560715423e0726170c494ece97387f861bc43637ac0216d90e4d340b4ee6af2632ae622841b4e7b83339495792b17b7194c

Download Submit
C:\Users\Admin\AppData\Roaming\impact.exe

Filesize
2.4MB

MD5
1bbebaeada8165fd366b49bc2136dff3

SHA1
55b8f5a7f0ae72bba6a708fea2c3bdbfe61c2e1e

SHA256
606ed20c7eca8f1d478f73ac889131bedcd8d1075ce366035a887cf2207d193c

SHA512
694e70788f66a88a72a6556cb231edef5eb8cb4fd88d48a1928249a8dd9504585fa8b47b76dfbd36be12197f17239762158c4e4e1ab30e1c9669a8c9069dbe52

Download Submit
memory/928-186-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2104-82-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-142-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-195-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-116-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-106-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-88-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-86-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-78-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/2104-37-0x000001DCE59C0000-0x000001DCE59C1000-memory.dmp

Filesize
4KB

Download
memory/3488-24-0x00007FFDFEE33000-0x00007FFDFEE35000-memory.dmp

Filesize
8KB

Download
memory/3488-26-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/4652-133-0x000002030F810000-0x000002030F832000-memory.dmp

Filesize
136KB

Download