Analysis
-
max time kernel
64s -
max time network
66s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
23-10-2024 17:08
General
-
Target
xera.exe
-
Size
6.7MB
-
MD5
0dec2a6bc52c602041c96b517231caef
-
SHA1
10f901a1564f975e218e5ede32144751241036b6
-
SHA256
3f7c362eb3f8d4e88b313c328b73567a7389a6b92bb795883797692390060bfe
-
SHA512
24d498fc72d000675b4ceba4356d2cb3998934525e3b2849aeb647fb04dd2a794971505a590ad7ffa51188157f03b55f96894d594ad44d0382ff1527db2df583
-
SSDEEP
196608:Wf6Ts+8lWtMzzohf3HAtNrz5BhMN5mXP:06BCi6sHk5BhMN5
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 44 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xera.exe"C:\Users\Admin\AppData\Local\Temp\xera.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.0.2096727911\1068132859" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55c0fabe-c565-42ca-9085-9f2eac8f95d3} 316 "\\.\pipe\gecko-crash-server-pipe.316" 1780 28fe21d9e58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.1.130137469\584133854" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {054156ff-ec8c-4a52-8cd0-07df8b9fe3bb} 316 "\\.\pipe\gecko-crash-server-pipe.316" 2136 28fe210db58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.2.546125753\1414803762" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2892 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b221f23-55f1-4eb3-9b8d-4b6d502857e0} 316 "\\.\pipe\gecko-crash-server-pipe.316" 2868 28fe649e458 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.3.319218534\1450958932" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c43f640d-585f-4189-adb9-b5ca3473b949} 316 "\\.\pipe\gecko-crash-server-pipe.316" 2996 28fe49c1358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.4.2097390325\1152385381" -childID 3 -isForBrowser -prefsHandle 4320 -prefMapHandle 4316 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3f7996-9abd-4e6c-ba34-8c50f46afce5} 316 "\\.\pipe\gecko-crash-server-pipe.316" 4000 28fe84e2d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.5.115529926\1657359830" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4968 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75f672a2-df02-4d95-9865-9247d255598c} 316 "\\.\pipe\gecko-crash-server-pipe.316" 4960 28fe4cbc558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.6.929211800\97881293" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdfa3da-dddb-4b99-ab1b-20a794df883c} 316 "\\.\pipe\gecko-crash-server-pipe.316" 5100 28fe4cbd758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.7.1492085071\265301965" -childID 6 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9609aedc-1f4a-4ece-92a4-e76ebce97f44} 316 "\\.\pipe\gecko-crash-server-pipe.316" 5284 28fe4cbdd58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.8.1670446862\1704964315" -childID 7 -isForBrowser -prefsHandle 5736 -prefMapHandle 5616 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {915d6376-3582-4e53-99e7-ba5975d87c70} 316 "\\.\pipe\gecko-crash-server-pipe.316" 5716 28feac6b758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.9.1197116314\1782663296" -parentBuildID 20221007134813 -prefsHandle 5972 -prefMapHandle 5984 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b431108-58c7-41ee-a26c-f290383a0da3} 316 "\\.\pipe\gecko-crash-server-pipe.316" 5880 28fead17558 rdd3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.10.823975202\167024085" -childID 8 -isForBrowser -prefsHandle 6152 -prefMapHandle 6140 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5891c6f-241d-4725-a2bd-b786d84b2b36} 316 "\\.\pipe\gecko-crash-server-pipe.316" 6160 28feb2da258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.11.2019884785\906304958" -childID 9 -isForBrowser -prefsHandle 6300 -prefMapHandle 6304 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6f2cc4a-6c3c-4be7-8273-343f70397bad} 316 "\\.\pipe\gecko-crash-server-pipe.316" 6292 28feb2db158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.12.1603725364\1163237235" -childID 10 -isForBrowser -prefsHandle 5028 -prefMapHandle 5044 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {683183be-f909-4249-8426-5c62de627ac3} 316 "\\.\pipe\gecko-crash-server-pipe.316" 5016 28fea5a8d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.13.139997936\110821640" -childID 11 -isForBrowser -prefsHandle 6428 -prefMapHandle 6444 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d9d9b0b-74ac-4e3b-a6cf-ccb0e3431bb7} 316 "\\.\pipe\gecko-crash-server-pipe.316" 6416 28fe860ed58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.14.14413410\1609455737" -childID 12 -isForBrowser -prefsHandle 7708 -prefMapHandle 7568 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5475572e-ec06-4f8e-b334-331b65edf098} 316 "\\.\pipe\gecko-crash-server-pipe.316" 9900 28fec8cbc58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.15.1382950173\447120093" -childID 13 -isForBrowser -prefsHandle 7460 -prefMapHandle 7464 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {433bb68f-8066-466f-9834-9e0dd61398cf} 316 "\\.\pipe\gecko-crash-server-pipe.316" 7452 28feca13c58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.16.36847380\1754376447" -childID 14 -isForBrowser -prefsHandle 7648 -prefMapHandle 7588 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4c13f8f-d102-478d-89fb-f0f174b1d2ec} 316 "\\.\pipe\gecko-crash-server-pipe.316" 9716 28fecab4b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.17.831461572\319077776" -childID 15 -isForBrowser -prefsHandle 9544 -prefMapHandle 9540 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed86dc1-fca3-4b53-8436-9062bda81464} 316 "\\.\pipe\gecko-crash-server-pipe.316" 9552 28fecab5758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.18.246959050\1508385526" -childID 16 -isForBrowser -prefsHandle 7156 -prefMapHandle 6112 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb3236d-09b5-46cb-8e06-9d7a45dad0ca} 316 "\\.\pipe\gecko-crash-server-pipe.316" 7164 28fecaa4f58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.19.1093321\204326882" -childID 17 -isForBrowser -prefsHandle 6452 -prefMapHandle 7444 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {238dceab-626b-422e-addd-7707d6067f8e} 316 "\\.\pipe\gecko-crash-server-pipe.316" 9764 28fecbdb858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.20.562046507\81747799" -childID 18 -isForBrowser -prefsHandle 6996 -prefMapHandle 6992 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54c0bd92-f4fa-4cd7-a90b-df92df15a406} 316 "\\.\pipe\gecko-crash-server-pipe.316" 7004 28fecbdca58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="316.21.1348205132\325928609" -childID 19 -isForBrowser -prefsHandle 6876 -prefMapHandle 6872 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed5d3a2-8cc1-4d6d-8be1-630c409e8517} 316 "\\.\pipe\gecko-crash-server-pipe.316" 6884 28fecbdc158 tab3⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b9a1bc14c179172af38e586606c5809e
SHA1d479ca9256db5313ab80c09938de3c7e1674533e
SHA25663748d97622d711de325cdf5bb93ee7d2604ea25e222b43fd94c735ea23689de
SHA512d832113ebb891849e668e911ce3da4cc7478d517a7782feca47fe7125eca82f45d2abe1b3193318f50d02d8abad9ed2e08f233d4f834c4475f7b4f104036126a
-
Filesize
8KB
MD56a33b0ba59109d0853a125c565992d05
SHA17fa72c7a1444c0ccc2d0d9804a42524268ace740
SHA256ae94aad12708cddac84ab5874bca19a2f361ae07a135575aee6e898bb7537567
SHA5126f355ff7e2ab923e57bce67f64e1e38cb20f375510c456bf0b8594c3a8710310985ac945774bbe625c7826ee5995c659b2002fe6b41e30aa9c768f778109847b
-
Filesize
45KB
MD59c1a2948edf1aa0d5538d70eaa66c252
SHA11a6cd5a199172586ebd4811c9e396852d665c2bc
SHA256176c8301976457730111a2b18f0775ac37efd87ae8cca7fbbb5a2fd2f6120b11
SHA5120b8e8860f29fe52627098326767046a28262866c9ddce204e0892825f85eff7ea39036fb3fbfcd29ef115a56a1eec7b567a99d5819ee2a91eb957209eb3d8d22
-
Filesize
73KB
MD5348ce828707b30fadde42759c4d44330
SHA1d59b429b215071e0727229ea5129945dc9772419
SHA2564d86e6925cdeddadf562ac961d4c199901522ca55a7e173c564451c4fe2d62c5
SHA512b0e7b0a3aa5e08d1b817dce85c408e2a3ca18d631b6f3820b0bf571d606e5df245c91233e5aeea5423e57655fb9a0c70af5234719cdc534db8e14e9a2931abe6
-
Filesize
18KB
MD532a22c943d40a5282d0b41483545dfd3
SHA13c59c9b03ac54ab11840a42a83092295c54a359b
SHA2565ebbd01f9378453ba98d25c87d96beec4ffb98515fc14eadf70d1973128de5ee
SHA5122e2f816470c8e91aa46f90abf741dc5a2c0d2fa3993b86fe6427a31039f315224869a1403c71b525a3fb4858119594ad4576965311792b914d00eea0328ccb68
-
Filesize
2KB
MD5c2cf96fee868598c9e7daf481c119d1b
SHA1b4ed1b180eff2aeaff796679de088e73beff0228
SHA25665fa1fc2db8f25fdee2bbd11c44807c33c0e74afdf9d95d6609e31acfe540e61
SHA5126217864ee04b0034654ed934b9ff4959d2269a0521979d002edc4095dd794fc1b701c2f6b47edc197e3f185ccb994a62f77501013b9b1954184aebe36d085659
-
Filesize
746B
MD531f1cbde52e0aee833179a63cea412c9
SHA16e5ccfe43065ec9acc5d85a56a44cb717b9af8b3
SHA256352fd1e9dbf6fa3eb4dd61a278b67ef26197410ab3134abaa450e5e252bf4325
SHA51205528282b6e069029fcf83bb75df50f99376a32f4273540bf2d7a8b500b9d0363c43fe5d2eb819fe0436aae34cf01ad3bc82c3687a10877bbfa663df13ebf1e2
-
Filesize
10KB
MD58d120119940ad16141760675639cf112
SHA1932b3bc333fdfe4dfac0fa163fc354f10c8e2379
SHA2568d7e397f36731539a5898899088cbf52fea08870738968cd7a87f7cde993b977
SHA51270a9d284ef767dce264539c582d3062bc09b5dbd090568b643cb0605169a8d21d0d33940258ab7094f5fe339243e07fb86f6b60f01569ab2ec728237f4669ef5
-
Filesize
6KB
MD5280f1fabe2f8fdc4651d38594ba6096c
SHA12591abac905ab75d9e9504c3cf591b5f63f6fe1f
SHA25681f1d6c7f248f06e6662cfcd45e6a1f44528dbec3aac671f20cd236ab297ae13
SHA51290c8dc81084381a4f879f8195463399b3b625b0ce2db730b9a83ced459e66ef84902224e8a8fd49b884745f1e017051de915def3c973435d30e07ecc664fd86e
-
Filesize
6KB
MD54332b52c32704eb00e49da1c062fc34d
SHA11e73a072f1f2be54f8f8492acd1e701f0900d9df
SHA256976492a40c4824a6f39a0ba426a9fad9c811c971e612f06dc1c110d7bbed5058
SHA512620942580822bbe0a7787c63d86e41698533ae2a4e7ad62dbcd5cdc805b362c611f04baa1a20098caf4b6c30967e853f63d1408010db68d61f020b03936ef235
-
Filesize
1KB
MD5ff367b7be24a621f8a434a98c894ac5f
SHA1f8568549d2ce6dd45d7b6d7a045785f512a23628
SHA2569740e58577f67d954d584c93cb5611dafc97e990d6f39abb9d590099c42022fb
SHA5126d88656e37d244a5d8d7e070f618aa020cac42f5e3876ea623e04339b2a34936a63ce4ec4c74950144b940912ea93b6e59fb09567750b527059f2ce61e361a69
-
Filesize
3KB
MD5d8e766f34af31e07f8f441b79a332817
SHA1a2d64818b0a7632c108dd426d339ccaf27529b4f
SHA2560555fb205087f056044f5c0c85bc59a2c077ad8ccd95095a7d6f3a9b094d696a
SHA5120ecee267f888e033c69385e3c9e8f7d7ad5786f8fbc978fd68ff501c7eb8e9f48bae716b01d09d0a657cadc9eb87ee44344b9aa77d21e34daa560e9ed65db868
-
Filesize
3KB
MD5b472d36dde2c8efde357f007a7d434ed
SHA186adfa57fe8a948754ed24576ae213c3be94f7fa
SHA256eede895849fc2e18644798b2ec9ccbc8048df4de8708f0ff832c62169ad4648a
SHA5128161d47fc374f915cfe70ff301f808d07cf8d48c9364bb71e2caaaf249e5806bfe5f6f81a7828da8ba35245ab757750309462adffbacc001163225d4cd9a5fa1
-
Filesize
456B
MD54849126d62348e96de9f534891ee372c
SHA104208116ad7cb0edcb2c7c754042554104172d10
SHA25692930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d
SHA512bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25
-
Filesize
184KB
MD50ed2663971e8051b2bcb574926400fa8
SHA1467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA2560c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898