Overview

overview

7

Static

static

3

2024-09-02...ba.exe

windows7-x64

7

2024-09-02...ba.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2024 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-02_8addab5319dd66906ba0e9ceb759a09e_hacktools_xiaoba.exe

  • Size

    3.2MB

  • MD5

    8addab5319dd66906ba0e9ceb759a09e

  • SHA1

    25b264611a8f76840a76392c1c7790f47f4d1c4b

  • SHA256

    e19d08069067590812eed72788ef59415858e8f0c813778250cfffaf262c25be

  • SHA512

    a431e560e7094a1a1cd7c82c6cf84d2440957ae0eb5cff21f23f726e682b2fbc327779901f17565595c2dcca812eccf4fad60b2912a62228dfd6e0b4db7fca91

  • SSDEEP

    49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NR:DBIKRAGRe5K2UZV

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-02_8addab5319dd66906ba0e9ceb759a09e_hacktools_xiaoba.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-02_8addab5319dd66906ba0e9ceb759a09e_hacktools_xiaoba.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57b100.exe
      C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57b100.exe 240627984
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4908
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2056
        3⤵
        • Program crash
        PID:5076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4908 -ip 4908
    1⤵
      PID:4360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57b100.exe
      Filesize

      3.2MB

      MD5

      f9c917892d335da604dcf6f9b4e00525

      SHA1

      e02e5712203895f8bdbcc5e04d01e2f99c28233d

      SHA256

      ca0b81381dfc6f6d841b7c646cb9a0163238fedd82dd3098e4101bbaf61c8721

      SHA512

      80db8f90ddd3474d41f33b5a4eecf7302f473796e38fdf9ba15cda6bfe2b57ab3dc6192d18c367a6dbd28bdcc6db84121ca1d8566624c38aa15e827fb5a7f415

      Download Submit

    • memory/2816-0-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/2816-1-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/2816-16-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/4908-17-0x0000000075ECA000-0x0000000075ECB000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4908-21-0x0000000000400000-0x00000000007A5000-memory.dmp

      Filesize

      3.6MB

      Download