1acdd1c18009ee16bea0c9d64f6b63b1243449531384a4265e1ef9cc66439466

Analysis

max time kernel
125s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe
Size

716KB
MD5

980c6495b5be689bd08ca90360eca8c3
SHA1

31bc8d269709b93f3cb3f43494f916fd7c1390e5
SHA256

1acdd1c18009ee16bea0c9d64f6b63b1243449531384a4265e1ef9cc66439466
SHA512

013b399a86c77012b72419fca54f78a51556f84bba3589a2f6e5ad73746732b2e4570ba0c0209688df173830e85b57d2a0851ac535aa07b68dbf47cfeda1fa2c
SSDEEP

12288:BaPVmPWz9Ms99bJ9RQ8gzl8c1osWoZ+v6b+w:Bfuzis9hxolDasWoZxb+w

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe

Runs net.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4840	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe
4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2772	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	82
PID 4612 wrote to memory of 2772	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	82
PID 4612 wrote to memory of 2772	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	82
PID 2772 wrote to memory of 5112	2772	cmd.exe	84
PID 2772 wrote to memory of 5112	2772	cmd.exe	84
PID 2772 wrote to memory of 5112	2772	cmd.exe	84
PID 5112 wrote to memory of 2836	5112	net.exe	85
PID 5112 wrote to memory of 2836	5112	net.exe	85
PID 5112 wrote to memory of 2836	5112	net.exe	85
PID 4612 wrote to memory of 1904	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	86
PID 4612 wrote to memory of 1904	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	86
PID 4612 wrote to memory of 1904	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	86
PID 4612 wrote to memory of 4840	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	88
PID 4612 wrote to memory of 4840	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	88
PID 4612 wrote to memory of 4840	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	88
PID 4612 wrote to memory of 1956	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	90
PID 4612 wrote to memory of 1956	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	90
PID 4612 wrote to memory of 1956	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	90
PID 4612 wrote to memory of 4844	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	92
PID 4612 wrote to memory of 4844	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	92
PID 4612 wrote to memory of 4844	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	92
PID 4612 wrote to memory of 1820	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	95
PID 4612 wrote to memory of 1820	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	95
PID 4612 wrote to memory of 1820	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	95
PID 4612 wrote to memory of 2896	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	97
PID 4612 wrote to memory of 2896	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	97
PID 4612 wrote to memory of 2896	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	97
PID 4612 wrote to memory of 2660	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	99
PID 4612 wrote to memory of 2660	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	99
PID 4612 wrote to memory of 2660	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	99
PID 4612 wrote to memory of 3600	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	101
PID 4612 wrote to memory of 3600	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	101
PID 4612 wrote to memory of 3600	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	101
PID 4612 wrote to memory of 1988	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	103
PID 4612 wrote to memory of 1988	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	103
PID 4612 wrote to memory of 1988	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	103
PID 4612 wrote to memory of 676	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	105
PID 4612 wrote to memory of 676	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	105
PID 4612 wrote to memory of 676	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	105
PID 4612 wrote to memory of 2152	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	107
PID 4612 wrote to memory of 2152	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	107
PID 4612 wrote to memory of 2152	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	107
PID 4612 wrote to memory of 3252	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	109
PID 4612 wrote to memory of 3252	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	109
PID 4612 wrote to memory of 3252	4612	980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe	109

C:\Users\Admin\AppData\Local\Temp\980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe
"C:\Users\Admin\AppData\Local\Temp\980c6495b5be689bd08ca90360eca8c3_xiaoba_JC.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net user %username% san010911
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\net.exe
    net user Admin san010911
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin san010911
      4⤵
      PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cd C:\Users\%username%\Desktop
  2⤵
  PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.exe *.exe.yyds
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.com *.com.yyds
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.scr *.scr.yyds
  2⤵
  PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.txt *.txt.yyds
  2⤵
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.bat *.bat.yyds
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.cmd *.cmd.yyds
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.lnk *.lnk.yyds
  2⤵
  PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.jpeg *.jpeg.yyds
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.jpg *.jpg.yyds
  2⤵
  PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.png *.png.yyds
  2⤵
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren *.ico *.ico.yyds
  2⤵
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads