Overview

overview

10

Static

static

3

7701ca2469...64.exe

windows7-x64

10

7701ca2469...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664.exe

  • Size

    60KB

  • MD5

    59f7a894987bece515c3f0a52f4251d3

  • SHA1

    17e248984a94b6f31b3f27e8a38f30eacb78d24f

  • SHA256

    7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664

  • SHA512

    fd320a382474e92395fa6b5834a2a2db04d119c85ed8f46ac74bbf0a3a8c38cd3e517b38c6ddb7be1cc4c22c6ffa8262c2605643892759ac9f6d5ab2d7ffcfde

  • SSDEEP

    1536:ocvhZCVZL22/BtJ1DG2xNMfMZec4feLdlzok:fqVM2/deGLdlzn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664.exe
    "C:\Users\Admin\AppData\Local\Temp\7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Users\Admin\xaiguah.exe
      "C:\Users\Admin\xaiguah.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1252
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4532,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
    1⤵
      PID:1992

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\xaiguah.exe
      Filesize

      60KB

      MD5

      b2105299ac2a289146f979bc7ed43971

      SHA1

      d649883133c2781ff928f7419f850c1d2a5279dc

      SHA256

      6b9ef6d370c49ba9263edba56c2ff2ca8ba969f5b673cddd18baea2bc1a65b2f

      SHA512

      1c34b9cb91a7c694d75f30adcb6e5719f14451f1ac71f62e649625764659269ee4cf7fcf38006f34426b95f500b62861011d9af37f11783f1d67955468f6d56b

      Download Submit