1acdd1c18009ee16bea0c9d64f6b63b1243449531384a4265e1ef9cc66439466

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe
Size

716KB
MD5

980c6495b5be689bd08ca90360eca8c3
SHA1

31bc8d269709b93f3cb3f43494f916fd7c1390e5
SHA256

1acdd1c18009ee16bea0c9d64f6b63b1243449531384a4265e1ef9cc66439466
SHA512

013b399a86c77012b72419fca54f78a51556f84bba3589a2f6e5ad73746732b2e4570ba0c0209688df173830e85b57d2a0851ac535aa07b68dbf47cfeda1fa2c
SSDEEP

12288:BaPVmPWz9Ms99bJ9RQ8gzl8c1osWoZ+v6b+w:Bfuzis9hxolDasWoZxb+w

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe

Runs net.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2500	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe
2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2772	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	28
PID 2604 wrote to memory of 2772	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	28
PID 2604 wrote to memory of 2772	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	28
PID 2604 wrote to memory of 2772	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	28
PID 2772 wrote to memory of 2180	2772	cmd.exe	30
PID 2772 wrote to memory of 2180	2772	cmd.exe	30
PID 2772 wrote to memory of 2180	2772	cmd.exe	30
PID 2772 wrote to memory of 2180	2772	cmd.exe	30
PID 2180 wrote to memory of 2272	2180	net.exe	31
PID 2180 wrote to memory of 2272	2180	net.exe	31
PID 2180 wrote to memory of 2272	2180	net.exe	31
PID 2180 wrote to memory of 2272	2180	net.exe	31
PID 2604 wrote to memory of 2356	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	32
PID 2604 wrote to memory of 2356	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	32
PID 2604 wrote to memory of 2356	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	32
PID 2604 wrote to memory of 2356	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	32
PID 2604 wrote to memory of 2500	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	34
PID 2604 wrote to memory of 2500	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	34
PID 2604 wrote to memory of 2500	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	34
PID 2604 wrote to memory of 2500	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	34
PID 2604 wrote to memory of 2436	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	36
PID 2604 wrote to memory of 2436	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	36
PID 2604 wrote to memory of 2436	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	36
PID 2604 wrote to memory of 2436	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	36
PID 2604 wrote to memory of 2440	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	38
PID 2604 wrote to memory of 2440	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	38
PID 2604 wrote to memory of 2440	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	38
PID 2604 wrote to memory of 2440	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	38
PID 2604 wrote to memory of 2832	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	40
PID 2604 wrote to memory of 2832	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	40
PID 2604 wrote to memory of 2832	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	40
PID 2604 wrote to memory of 2832	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	40
PID 2604 wrote to memory of 2896	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	42
PID 2604 wrote to memory of 2896	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	42
PID 2604 wrote to memory of 2896	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	42
PID 2604 wrote to memory of 2896	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	42
PID 2604 wrote to memory of 2888	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	44
PID 2604 wrote to memory of 2888	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	44
PID 2604 wrote to memory of 2888	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	44
PID 2604 wrote to memory of 2888	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	44
PID 2604 wrote to memory of 2812	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	46
PID 2604 wrote to memory of 2812	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	46
PID 2604 wrote to memory of 2812	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	46
PID 2604 wrote to memory of 2812	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	46
PID 2604 wrote to memory of 2696	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	48
PID 2604 wrote to memory of 2696	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	48
PID 2604 wrote to memory of 2696	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	48
PID 2604 wrote to memory of 2696	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	48
PID 2604 wrote to memory of 1984	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	50
PID 2604 wrote to memory of 1984	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	50
PID 2604 wrote to memory of 1984	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	50
PID 2604 wrote to memory of 1984	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	50
PID 2604 wrote to memory of 2704	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	52
PID 2604 wrote to memory of 2704	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	52
PID 2604 wrote to memory of 2704	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	52
PID 2604 wrote to memory of 2704	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	52
PID 2604 wrote to memory of 2760	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	54
PID 2604 wrote to memory of 2760	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	54
PID 2604 wrote to memory of 2760	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	54
PID 2604 wrote to memory of 2760	2604	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	54

C:\Users\Admin\AppData\Local\Temp\980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe
"C:\Users\Admin\AppData\Local\Temp\980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net user %username% san010911
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\net.exe
    net user Admin san010911
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin san010911
      4⤵
      PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cd C:\Users\%username%\Desktop
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.exe *.exe.yyds
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.com *.com.yyds
  2⤵
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.scr *.scr.yyds
  2⤵
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.txt *.txt.yyds
  2⤵
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.bat *.bat.yyds
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.cmd *.cmd.yyds
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.lnk *.lnk.yyds
  2⤵
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.jpeg *.jpeg.yyds
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.jpg *.jpg.yyds
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.png *.png.yyds
  2⤵
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.ico *.ico.yyds
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads