afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d

General

Target

afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe
Size

2.5MB
MD5

4984d638b412fd2371a2934368b1769a
SHA1

3ba21d9895e7ce24f6b499318f8228ef7649e845
SHA256

afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d
SHA512

385c2c9a4865aeaebded872ca7ae01705196c16bc82c2d232706762fc3ba0d9107f3f54de05b0d1445a5b29a70aea1d5552da27930b9840a2b3edc339064aa4c
SSDEEP

49152:hgFstei+6W2AJTqSvKRB/8+UOLmbBfj2DOMtE75O9K6Ud57YmrY:Ast5+P2AHH3gmJ9qKHL7frY

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	xiao.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe
2720	xiao.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000099A000-memory.dmp	vmprotect
behavioral1/memory/2980-1-0x0000000000400000-0x000000000099A000-memory.dmp	vmprotect
behavioral1/memory/2980-3-0x0000000000400000-0x000000000099A000-memory.dmp	vmprotect
behavioral1/memory/2980-15-0x0000000000400000-0x000000000099A000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	xiao.exe
File opened (read-only)	\??\J:	xiao.exe
File opened (read-only)	\??\S:	xiao.exe
File opened (read-only)	\??\V:	xiao.exe
File opened (read-only)	\??\Z:	xiao.exe
File opened (read-only)	\??\U:	xiao.exe
File opened (read-only)	\??\X:	xiao.exe
File opened (read-only)	\??\B:	xiao.exe
File opened (read-only)	\??\H:	xiao.exe
File opened (read-only)	\??\K:	xiao.exe
File opened (read-only)	\??\Q:	xiao.exe
File opened (read-only)	\??\R:	xiao.exe
File opened (read-only)	\??\T:	xiao.exe
File opened (read-only)	\??\Y:	xiao.exe
File opened (read-only)	\??\G:	xiao.exe
File opened (read-only)	\??\I:	xiao.exe
File opened (read-only)	\??\L:	xiao.exe
File opened (read-only)	\??\M:	xiao.exe
File opened (read-only)	\??\N:	xiao.exe
File opened (read-only)	\??\O:	xiao.exe
File opened (read-only)	\??\P:	xiao.exe
File opened (read-only)	\??\W:	xiao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xiao.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	xiao.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe
2720	xiao.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe
2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30
PID 2980 wrote to memory of 2720	2980	afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe	30

C:\Users\Admin\AppData\Local\Temp\afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe
"C:\Users\Admin\AppData\Local\Temp\afc4d286b6199a9c8ac35cde8511656e64fc19d29497e8a4509e1612f1214c7d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Public\Music\xiao.exe
  "C:\Users\Public\Music\xiao.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Music\libcurl.dll

Filesize
820KB

MD5
87a86fd4855daaad294db845d4f2242b

SHA1
ff4859859ee6dcf4ef7502fa5c60a16d1712e1c7

SHA256
672ee4ce9de7267239a12bfe5a09751817547f4136b99d60af00985a548cf3ff

SHA512
d09fb93a6a89e46b556ed4b5d1b5a16bbd3e3fa2efbcb856df740aeda060d1f7168b01aafc3d560100aa391964b4ccf1df8888ee0ddafb0dcd217b8360d7fbeb

Download Submit
C:\Users\Public\Music\xiao.exe

Filesize
2.2MB

MD5
19a45f5d5554890987606380b83893e0

SHA1
ec6ddf2423e1def3deeae86556aa8b4c1ba696f0

SHA256
9eee6bf121ec26849ad1be64b5fed73a840a17e572ce50b3485da81a88b3b7c9

SHA512
20f61c351cdc889661c330e8b07fe079f96b99b51d13285884d56f159bbfe9cd7159125581e78bdf35bb9fa036fbd9be9baa1251a24fb2c8f2b401e6f3435bcf

Download Submit
\Users\Public\Music\libcurl.dll

Filesize
820KB

MD5
87a86fd4855daaad294db845d4f2242b

SHA1
ff4859859ee6dcf4ef7502fa5c60a16d1712e1c7

SHA256
672ee4ce9de7267239a12bfe5a09751817547f4136b99d60af00985a548cf3ff

SHA512
d09fb93a6a89e46b556ed4b5d1b5a16bbd3e3fa2efbcb856df740aeda060d1f7168b01aafc3d560100aa391964b4ccf1df8888ee0ddafb0dcd217b8360d7fbeb

Download Submit
\Users\Public\Music\xiao.exe

Filesize
2.2MB

MD5
19a45f5d5554890987606380b83893e0

SHA1
ec6ddf2423e1def3deeae86556aa8b4c1ba696f0

SHA256
9eee6bf121ec26849ad1be64b5fed73a840a17e572ce50b3485da81a88b3b7c9

SHA512
20f61c351cdc889661c330e8b07fe079f96b99b51d13285884d56f159bbfe9cd7159125581e78bdf35bb9fa036fbd9be9baa1251a24fb2c8f2b401e6f3435bcf

Download Submit
memory/2720-14-0x0000000000500000-0x000000000054A000-memory.dmp

Filesize
296KB

Download
memory/2720-21-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-37-0x0000000000500000-0x000000000054A000-memory.dmp

Filesize
296KB

Download
memory/2720-13-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-36-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-16-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2720-28-0x0000000003420000-0x000000000359D000-memory.dmp

Filesize
1.5MB

Download
memory/2720-17-0x0000000000500000-0x000000000054A000-memory.dmp

Filesize
296KB

Download
memory/2720-19-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-27-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-22-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2720-24-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-20-0x0000000002320000-0x0000000002430000-memory.dmp

Filesize
1.1MB

Download
memory/2720-26-0x0000000010000000-0x000000001021E000-memory.dmp

Filesize
2.1MB

Download
memory/2720-18-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2980-3-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/2980-0-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/2980-15-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/2980-1-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads