6e77a31c82b107011ea5e119dc218c1763abb1c9d90f0e0b1892a7aee8d90c6a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 01:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe
Size

3.2MB
MD5

ca24ba1285a99d0b03742b58fe8a0a64
SHA1

bca66e744035e26e4d3e7ccd92574ecc835a866c
SHA256

6e77a31c82b107011ea5e119dc218c1763abb1c9d90f0e0b1892a7aee8d90c6a
SHA512

acae0a5b50e90a73879417fbe093562568011a327dad6322d07a1137e2fe741799f9bcbd8551fc10b300448337f559e552caa541b8871eea1e8fb046bf23b374
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nc:DBIKRAGRe5K2UZQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4020	e5785e9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	4020	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5785e9.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1564	2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe
1564	2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe
4020	e5785e9.exe
4020	e5785e9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4020	1564	2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe	83
PID 1564 wrote to memory of 4020	1564	2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe	83
PID 1564 wrote to memory of 4020	1564	2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_ca24ba1285a99d0b03742b58fe8a0a64_hacktools_xiaoba.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e5785e9.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e5785e9.exe 240616937
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 2072
    3⤵
    - Program crash
    PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4020 -ip 4020
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e5785e9.exe

Filesize
3.2MB

MD5
5be7660e48ee024ed06b53208d175cda

SHA1
7f3209236c2b90f472fb4be2c96ef1c731154c31

SHA256
e7edc148d559958f12c4027089d73da087e1884cc930dd2b49c75e62376f6f96

SHA512
bc44bfa80ba60e05371730e14cdc8289cff75e41be59dfbf5cec3610e7d20d81e7ab58e75b1071d02820a228da7a3e5a38facdc4760cc041a52b79874d08cc71

Download Submit
memory/1564-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1564-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1564-23-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/4020-7-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/4020-19-0x000000007572A000-0x000000007572B000-memory.dmp

Filesize
4KB

Download
memory/4020-24-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download