ef73b9705db080e09c3a84fb5201fd003f242b06e9a5a9028231efc938ead241

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skibidi2.rar
Size

20.9MB
MD5

0b3f0b972f2b76ce9d43e15fe26da47c
SHA1

3c473950f1dd34f55c30a98c254fab8180a5149f
SHA256

ef73b9705db080e09c3a84fb5201fd003f242b06e9a5a9028231efc938ead241
SHA512

10ea567fd9cb8afd4e648ee4f6c4ca7b7d52cb3c79435a4381cbdb2f6ad2b13943a399c9382a169a7657cb1ec08c6f3789026168ccf142ec57be5d46a0f41c29
SSDEEP

393216:ByaUpCe39n3BW8aCuEGnvu0U4KKiPcYfApVgPcLfi2F6y80fxdY24Xod7QaPYsg:ByB3hBW8rTiRKbPccApJij6x+TsEuVg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Xworm V5.6.exe

pid process

212 Xworm V5.6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
212	Xworm V5.6.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Xworm V5.6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

3364 OpenWith.exe
3812 7zFM.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 3812 7zFM.exe
Token: 35 3812 7zFM.exe
Token: SeSecurityPrivilege 3812 7zFM.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

3812 7zFM.exe
3812 7zFM.exe
3812 7zFM.exe

description	pid	process
Token: SeRestorePrivilege	3812	7zFM.exe
Token: 35	3812	7zFM.exe
Token: SeSecurityPrivilege	3812	7zFM.exe

pid	process
3812	7zFM.exe
3812	7zFM.exe
3812	7zFM.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

OpenWith.exe

pid	process
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Skibidi2.rar
1⤵
- Modifies registry class
PID:1476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4772

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Skibidi2.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3812

C:\Users\Admin\Desktop\Skibidi2\Xworm V5.6.exe
"C:\Users\Admin\Desktop\Skibidi2\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE4EEB0728\Skibidi2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\Skibidi2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\Skibidi2\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\Skibidi2\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/212-245-0x000001DC6AA70000-0x000001DC6B958000-memory.dmp

Filesize
14.9MB

Download
memory/212-247-0x000001DC700D0000-0x000001DC702C4000-memory.dmp

Filesize
2.0MB

Download