ebbf9dd52f6a30e24ead69c19a8c44a8207e5fae0b54e3c0f6008cb1ccfe9587

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe
Size

3.2MB
MD5

07c28f582690bb2fbea56c3d47ec9dae
SHA1

f5a992e1cc02536c9e0e01f99944ef83120d810e
SHA256

ebbf9dd52f6a30e24ead69c19a8c44a8207e5fae0b54e3c0f6008cb1ccfe9587
SHA512

fe32cd7c43671fdb74f9287c73a81a8557bf49343586692ad0d74477fb8af27c8f9733675e93fa0f0815162607a20001d5f9ef2330c65ec7fc3db26200d0c40e
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NG:DBIKRAGRe5K2UZ6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	f767a1f.exe

Loads dropped DLL 9 IoCs

pid	Process
1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe
1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3056	1716	WerFault.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	f767a1f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	f767a1f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe
1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe
1716	f767a1f.exe
1716	f767a1f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1716	1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe	28
PID 1692 wrote to memory of 1716	1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe	28
PID 1692 wrote to memory of 1716	1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe	28
PID 1692 wrote to memory of 1716	1692	2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe	28
PID 1716 wrote to memory of 3056	1716	f767a1f.exe	30
PID 1716 wrote to memory of 3056	1716	f767a1f.exe	30
PID 1716 wrote to memory of 3056	1716	f767a1f.exe	30
PID 1716 wrote to memory of 3056	1716	f767a1f.exe	30

C:\Users\Admin\AppData\Local\Temp\2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_07c28f582690bb2fbea56c3d47ec9dae_hacktools_xiaoba_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe 259422767
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767a1f.exe

Filesize
3.2MB

MD5
a268f7d3fac2a79c7a04630a8ba8b155

SHA1
d0b60a93fe7b080fc0056f213e718e4632da2d77

SHA256
ce20fc5072758b385863f56d70d93c37452d366bc82e8ad2ab2bafdf831530fb

SHA512
9f1956e3375e5c048c58b21e3d02bf95cb0f5805d1abce9a10a4f971329ebfa1467b4bace774b0a8a5d300f353b6ab0a93fb1215386a4e84c34d901c643acee2

Download Submit
memory/1692-12-0x0000000002750000-0x0000000002AF5000-memory.dmp

Filesize
3.6MB

Download
memory/1692-15-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1692-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1692-9-0x0000000002750000-0x0000000002AF5000-memory.dmp

Filesize
3.6MB

Download
memory/1692-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1716-13-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1716-14-0x0000000075170000-0x0000000075270000-memory.dmp

Filesize
1024KB

Download
memory/1716-41-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download