1b2bc5e892dc850638286810f2052f14a09a13d5838906c44c6b83480e12a553

General

Target

1/????.exe
Size

108KB
MD5

4896192ec4694990e55771cb62319761
SHA1

13c06c5419936f9afa253935f6cc36f0cd5f918c
SHA256

12961fc98232445adc5166ef4b5394f8b0400e3b04aceb4aac481692e222e48b
SHA512

bb7057e4530e4f4538809873bfd556a1ffbbb1b2841a93498b43d8ff5c3a98ce0aa3999a9213aaa2f4182cb30f9ee444ccac89015ef841e40e5325736056fd6f

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

www.xiaodao.la.dll

pid process

552 www.xiaodao.la.dll

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

www.xiaodao.la.dll

pid	process
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll
552	www.xiaodao.la.dll

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

www.xiaodao.la.dll

description pid process

Token: SeDebugPrivilege 552 www.xiaodao.la.dll
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

www.xiaodao.la.dll

pid process

552 www.xiaodao.la.dll
552 www.xiaodao.la.dll
552 www.xiaodao.la.dll

description	pid	process
Token: SeDebugPrivilege	552	www.xiaodao.la.dll

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

____.exewww.xiaodao.la.dll

description	pid	process	target process
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 308 wrote to memory of 552	308	____.exe	www.xiaodao.la.dll
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 368	552	www.xiaodao.la.dll	wininit.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 380	552	www.xiaodao.la.dll	csrss.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 416	552	www.xiaodao.la.dll	winlogon.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 460	552	www.xiaodao.la.dll	services.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 476	552	www.xiaodao.la.dll	lsass.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 484	552	www.xiaodao.la.dll	lsm.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 580	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 660	552	www.xiaodao.la.dll	svchost.exe
PID 552 wrote to memory of 736	552	www.xiaodao.la.dll	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:240

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:300

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:860

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
3⤵
PID:1976

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:532

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\1\____.exe
"C:\Users\Admin\AppData\Local\Temp\1\____.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\1\www.xiaodao.la.dll
"www.xiaodao.la.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-56-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/552-54-0x0000000000000000-mapping.dmp

Download
memory/552-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/552-57-0x0000000002820000-0x00000000028F2000-memory.dmp

Filesize
840KB

Download
memory/552-58-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/552-59-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads