a578c8153e75d125f23f5c24518d9ecbe8b78564835e2c7e298dc1eda647c3ca

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe
Size

3.2MB
MD5

a631cf5fe45ed9edb034cc876bd5789d
SHA1

70bc691835551536aa9f96374d9dd0a13fbb5776
SHA256

a578c8153e75d125f23f5c24518d9ecbe8b78564835e2c7e298dc1eda647c3ca
SHA512

fbf75be1ab6712cb2732b3329bed9729a893d52137fa7efe2d3b9b5084827fcd342096b8ed97148535229cdfae75175c84bea3134026578cc9afef0307e1e3fa
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N4:DBIKRAGRe5K2UZE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	f7611fb.exe

Loads dropped DLL 9 IoCs

pid	Process
2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe
2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	2112	WerFault.exe	18

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	f7611fb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	f7611fb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe
2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe
2112	f7611fb.exe
2112	f7611fb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2112	2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe	18
PID 2468 wrote to memory of 2112	2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe	18
PID 2468 wrote to memory of 2112	2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe	18
PID 2468 wrote to memory of 2112	2468	2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe	18
PID 2112 wrote to memory of 2944	2112	f7611fb.exe	30
PID 2112 wrote to memory of 2944	2112	f7611fb.exe	30
PID 2112 wrote to memory of 2944	2112	f7611fb.exe	30
PID 2112 wrote to memory of 2944	2112	f7611fb.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_a631cf5fe45ed9edb034cc876bd5789d_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe 259396106
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 604
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
132KB

MD5
9ea15db1f6c5fbae2d624d96ed3bb862

SHA1
1b8962bf61f6994976d73f8bf6eff5587ae1b5b1

SHA256
e21c740fa5fb5719f7739e58f6143793cfa95ce41597ab56d78794707a79a547

SHA512
c8ad2c5a9b8345d58188d718daa9a8787cf353abc81fd51e3fd3c99d45d4e27660c9ce986c71aa56dd4c8f97d2a571e681273a5a6e00d19725857ffd36582137

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
144KB

MD5
5b0f054a1d35bebd3ea592db5ebd38e0

SHA1
ed0b17b8da977ded126c13d293cbe5f0e615dcaf

SHA256
a766b35841f0e82b258d5a63f07c556535dd211b2b023551d2a84282175f48ef

SHA512
ec35521cd1e571b8d176d89ac66d95ca4ace13ccd7eed1f25c18b31d28ad2dc1d578da726f656083892bfe3971a66ecd5667fba6d6fac544d9a66453a3275a27

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
94KB

MD5
7b3fabd6a965526245258497f9331025

SHA1
748f997b3ca96f459df17fea45edc113bea78408

SHA256
e3351abf31c11a1a1af8730fe7856f19e3b5a5405c3481f511fe03e421ea154b

SHA512
2b3076bd1d3de6d533f73044a179048bad84eafe26ee745150637953612dbc6c7b8b5713550237b96c504e40ca4310bbef73a7afed4fa2280aba59c27e4d4ad4

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
15KB

MD5
d7f5b22fca52a505f34e838d0f6a0daf

SHA1
5f70ed5697c77a7f8e86ff1fa2d45650b93da996

SHA256
697d4299dd013ee5a4939dca9427a455950aeabe8f57238e918d31dd59785e96

SHA512
e25eadf8a95ad8ab548c20cf76b04f20453729de8f0d0e391bd00f40c874a024f7c4d186a297294e88257e06848d6352c68947a860f408d8b559ceb088cddea1

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
22KB

MD5
92e8702fb75c376f82ab126581e8b83b

SHA1
246cc604f0ac3d04b2abc6a934658cc389126557

SHA256
cbf36e975f84d5e8c439d1ef75b487100938562d7a4b6a2b03947b0e998cb088

SHA512
a9e2c36c491f8d211960ce8e7bdb96bedc65ca2ed297bebaeb65e1904609a247eb4332a245f6312475add54d0609e8826e1f05a6a022bf0cef44860d03b57a7f

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
15KB

MD5
4d3fcc695ea69ae3c5aaef16198e0304

SHA1
d2d9eb3860d29fd05076d4bb15eea89f2b5ff2f8

SHA256
56505acd43b917276cb17ba4c1b2bb94b3bdb001055bbcadc44547dfb7b968e1

SHA512
f4bb69ce1e1c8b72dceb2ed8ed5b7a86e67a0e61e8c2ab2d8e685dcf8dc3aa805adf9a10ea1ddf3c3cf94487a6dbdf298bda5be75f46614c7ec6f60952175dcd

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
45KB

MD5
2079ab88eb000aa6e47ad6a45c3ad401

SHA1
d9fb2ca5492a766e701acbd5a656dfb95aa300f7

SHA256
5726524dfacbbc5cc5f87d26b9c68fa59af90783f23d86ccfc1e70c5491e37c1

SHA512
202d30006722b744b4366c7eb1cba6358c65f7f9f5aad003c68705676955042a916deaef2f0f0d46db4f38f363b079a851c37be0e72feef870986d08bae7a24a

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
35KB

MD5
0afb59c7dd48d7001fb19418c0f57cc5

SHA1
06bb60deb5539703822307296ddeea48f0cb0f3f

SHA256
733084b92625c3d8f6e7f8c38d2636de7553182877e116e06e9877c428c1f872

SHA512
998f699b69996357ffc39e07719508b951f0bc2476668330e56e8043a544a4c288d6ffa278fbd7c8ed6b7a80b9c0f95bf2cd64a023c88ed19af1254757189a65

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
67KB

MD5
b02caccff3fa4662d6ccadbb5cc3d127

SHA1
5a916f1fecef7c299775f408d05d49883f86766e

SHA256
9e9821c25dd383b9657e8bfd56650887759d7a994bf7658506b470c5d3490ad6

SHA512
8508c90766c8c010048c908a7d7af64a6610842ecb7dce5d757083d14258e2ee7ab8654aad57df39c257410ad853479908a26b3a7a485e90aa4058a152a39e1d

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
55KB

MD5
778250c78859f969c222b387e4c46f68

SHA1
73c7113d827abcb4ffa1f8983a9514dd69e425e9

SHA256
f2702e1e851fb9317310ae545fb0d2ac8982c239eadeb5888be2d92555af1e46

SHA512
8fa1bb6472c6662e0a48690f362af1a6de6c1c611d0da79e8156fb86ccf0591b786ebea52e44327cd0ed1c6e984326ce8a2b4cc01dfc41643259789c937a0964

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7611fb.exe

Filesize
85KB

MD5
84c416b234ac3ff6f942973f26650d42

SHA1
0800350dd117a903f9f94e738c92e60734a50aca

SHA256
285b1b9e6c4dcb61aeaf5f2c1ab21dbae1d3fa111726b9253d1dde2925f2a546

SHA512
0fff112a9b4c10cb053e15dd4ce569964a9f8cd33b5f6dc90ab409b86004ecbc7d07892ab6e41691984471e3038c27c718bf5711a945e2cb8aa6b9bd2007aac6

Download Submit
memory/2112-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2112-13-0x0000000076580000-0x0000000076680000-memory.dmp

Filesize
1024KB

Download
memory/2112-40-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2468-32-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2468-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2468-11-0x0000000002B00000-0x0000000002EA5000-memory.dmp

Filesize
3.6MB

Download
memory/2468-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download