Analysis
-
max time kernel
70s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 11:47
General
-
Target
again.exe
-
Size
45KB
-
MD5
d315594aa686dfca1d10869c3c2a44cf
-
SHA1
16590fcebdac3382dbcd8756813a83e5662f68bd
-
SHA256
fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad
-
SHA512
6515e84c49dc91881d25e18650a0ed738db0c3a0fdc25b946c040ca34320786e9f9dd48876b06d7acf601e16f9dfb4f3946601cf79a80cdb2328eddebca69b86
-
SSDEEP
768:RdhO/poiiUcjlJInRTwH9Xqk5nWEZ5SbTDaRWI7CPW5s:Pw+jjgnCH9XqcnW85SbTgWI0
Malware Config
Extracted
xenorat
10.129.120.194
skibidi_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4782
-
startup_name
skibidi
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation again.exe -
Executes dropped EXE 1 IoCs
pid Process 1100 again.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4556 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5016 wrote to memory of 1100 5016 again.exe 82 PID 5016 wrote to memory of 1100 5016 again.exe 82 PID 5016 wrote to memory of 1100 5016 again.exe 82 PID 1100 wrote to memory of 4556 1100 again.exe 83 PID 1100 wrote to memory of 4556 1100 again.exe 83 PID 1100 wrote to memory of 4556 1100 again.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\again.exe"C:\Users\Admin\AppData\Local\Temp\again.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Roaming\XenoManager\again.exe"C:\Users\Admin\AppData\Roaming\XenoManager\again.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "skibidi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp" /F3⤵
- Creates scheduled task(s)
PID:4556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD54a62209cdedfc42731224511b658bcb8
SHA1087b4da43d98743393f3447d3c57332ab1d1cb3e
SHA256cea13f60bd9a0160c6866d142d539308c0efb4a1db670dfc116c7ec03eb53ca3
SHA51207e13b4b617a75aa3c5488294ce189bdc06b073bcf4ab34fe52ef9f8a7453e2ea75bd746da8e0d9e633c67577c6a156bf3013c949f3a8531a17db1e2023083b6
-
Filesize
45KB
MD5d315594aa686dfca1d10869c3c2a44cf
SHA116590fcebdac3382dbcd8756813a83e5662f68bd
SHA256fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad
SHA5126515e84c49dc91881d25e18650a0ed738db0c3a0fdc25b946c040ca34320786e9f9dd48876b06d7acf601e16f9dfb4f3946601cf79a80cdb2328eddebca69b86