Overview

overview

7

Static

static

3

2024-08-21...ba.exe

windows7-x64

7

2024-08-21...ba.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-21_9ea67e994f713daf5e0639569fc210b3_hacktools_xiaoba.exe

  • Size

    3.2MB

  • MD5

    9ea67e994f713daf5e0639569fc210b3

  • SHA1

    5ae67734faacb609abcfa51d9001cd68c86ae803

  • SHA256

    03a71411b2dbe60823211dfeca3d04cf6f6650e53c2b57141d977b17debedeef

  • SHA512

    465d3326c1375ccd5851c7b4a2df8ede5c56462f170070910ffc8946df901562e3264af2f541debeaeeffbf94ec45f34fa69fda39e9c493769b0f4a11552b763

  • SSDEEP

    49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Na:DBIKRAGRe5K2UZO

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-21_9ea67e994f713daf5e0639569fc210b3_hacktools_xiaoba.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-21_9ea67e994f713daf5e0639569fc210b3_hacktools_xiaoba.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e576987.exe
      C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e576987.exe 240609687
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3616
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 2064
        3⤵
        • Program crash
        PID:5088
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3616 -ip 3616
    1⤵
      PID:4608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e576987.exe
      Filesize

      3.2MB

      MD5

      7ea3873e3719c6f4f3011f622861173c

      SHA1

      e39a7c01210844dc33c04cb8e5303987fbc4e810

      SHA256

      a844d00e84a1d075fa4534e29616d67b94ebc01e558ef00cf9c49905ea889277

      SHA512

      c4139402987b37cdba268f7551b0e242df7524cfa2e07a5ad66ea779d34f1581531c807453c4cc27eacc8a4917998b0c431d10a7b45088fc6e91384103811502

      Download Submit

    • memory/1100-0-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/1100-1-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/1100-7-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/3616-11-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/3616-20-0x000000007528A000-0x000000007528B000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-24-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download