Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 19:24
Behavioral task
behavioral1
Sample
skididbop.exe
Resource
win7-20240419-en
General
-
Target
skididbop.exe
-
Size
45KB
-
MD5
3c8c937572ec914fcec514388198512c
-
SHA1
45b51ee6aa6eaa491dde2e536ccfeb93f13519a4
-
SHA256
dd4b30cd3c1ed3b6ff0952f5aa9e14a334a4bd11a09cdc7ab37aa45cfd739328
-
SHA512
0303eb186bf0b388b23a359992386da1b4f65988655590717bc37ac6860a2529eae575ee0d03245b94c1e6c68cea5731ce46dfe2f373bb856cb43a874edbf6e6
-
SSDEEP
768:6dhO/poiiUcjlJInVFH9Xqk5nWEZ5SbTDa/WI7CPW5N:cw+jjgnrH9XqcnW85SbTWWIF
Malware Config
Extracted
xenorat
45.88.186.12
2
-
install_path
appdata
-
port
5050
-
startup_name
svchost
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation skididbop.exe -
Executes dropped EXE 1 IoCs
pid Process 4708 skididbop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2072 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe 4708 skididbop.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4708 skididbop.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3608 wrote to memory of 4708 3608 skididbop.exe 81 PID 3608 wrote to memory of 4708 3608 skididbop.exe 81 PID 3608 wrote to memory of 4708 3608 skididbop.exe 81 PID 4708 wrote to memory of 2072 4708 skididbop.exe 82 PID 4708 wrote to memory of 2072 4708 skididbop.exe 82 PID 4708 wrote to memory of 2072 4708 skididbop.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\skididbop.exe"C:\Users\Admin\AppData\Local\Temp\skididbop.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Roaming\XenoManager\skididbop.exe"C:\Users\Admin\AppData\Roaming\XenoManager\skididbop.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4ECC.tmp" /F3⤵
- Creates scheduled task(s)
PID:2072
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD5dc8677af1eb292ed4441e714ed6d7038
SHA1e2318c9551ec5aa9c86216068c7a5836c1c44af8
SHA256b3401a3ac9335049092975fd28904570aac36c1b3bfc9281bbbf73ab0c10e6ab
SHA512b1ff0c90f57a6257e8dec1ba8c6e1a54844b0db5ec90b3d1fc437484a6c2c0b88b7ea299311e4a6704533d9ffdb8a8bbc7f2998feae7b878d01bc3ab2f80d34f
-
Filesize
45KB
MD53c8c937572ec914fcec514388198512c
SHA145b51ee6aa6eaa491dde2e536ccfeb93f13519a4
SHA256dd4b30cd3c1ed3b6ff0952f5aa9e14a334a4bd11a09cdc7ab37aa45cfd739328
SHA5120303eb186bf0b388b23a359992386da1b4f65988655590717bc37ac6860a2529eae575ee0d03245b94c1e6c68cea5731ce46dfe2f373bb856cb43a874edbf6e6