a5cecffec2a9960a167552ffb83b5ebba01dde5131337070ff719c23abeb897e

General

Target

2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
Size

3.2MB
MD5

c419fe06ea7b0fa2cc3b25be24aa06cf
SHA1

dd431a4c1a0b365c75ad2256e82c21c34f25b48e
SHA256

a5cecffec2a9960a167552ffb83b5ebba01dde5131337070ff719c23abeb897e
SHA512

3de98ec264b384af9f0930f9772435fc5b1ace2773650fc43f11731730086e3d152a8bcf75bd3348ab9415a3a36b175cc763d2673a1fe0a10138501a78798f51
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nb:DBIKRAGRe5K2UZP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

f761297.exe

pid process

2492 f761297.exe

pid	process
2492	f761297.exe

Loads dropped DLL 9 IoCs

Processes:

2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exeWerFault.exe

pid	process
3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2736 2492 WerFault.exe f761297.exe

pid	pid_target	process	target process
2736	2492	WerFault.exe	f761297.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

f761297.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	f761297.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	f761297.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exef761297.exe

pid	process
3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
2492	f761297.exe
2492	f761297.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exef761297.exe

description	pid	process	target process
PID 3048 wrote to memory of 2492	3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe	f761297.exe
PID 3048 wrote to memory of 2492	3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe	f761297.exe
PID 3048 wrote to memory of 2492	3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe	f761297.exe
PID 3048 wrote to memory of 2492	3048	2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe	f761297.exe
PID 2492 wrote to memory of 2736	2492	f761297.exe	WerFault.exe
PID 2492 wrote to memory of 2736	2492	f761297.exe	WerFault.exe
PID 2492 wrote to memory of 2736	2492	f761297.exe	WerFault.exe
PID 2492 wrote to memory of 2736	2492	f761297.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe 259396247
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 608
3⤵
- Loads dropped DLL
- Program crash
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe

Filesize
3.2MB

MD5
f3ea0ffaab6e1c9ee4398701c19921ad

SHA1
71ea92132c1d8116848ffa1daf5ae3dfadf40ffc

SHA256
e0ea0bdfcd9d4d3aa24502fc1df955c29332ec854e750e8d03f926b82c5b4059

SHA512
cc6d67940d0eea2e5b84f88d893c44fb009c2865cee78f2d0d9ee308ad422e77a6c4f76c9d0bf58b87d00ddcac4da128bce5e0b3bf2551cd7b1eabf8310a1d0c

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe

Filesize
2.2MB

MD5
6af4138610308c138d635da81eff6d0c

SHA1
497b41b0b8749d657654158c3ca3c3369f719a20

SHA256
da2075c35af712ab538f759bc04a4a17f75fab52301deae2fbd1b2f165a5b5e4

SHA512
ee6566621a1c59e7a8fd512fe481c8bf817fbe7400b504797e2c0fb0790a09180000bc2947dbeac6f7cb937cce2942ffda3f6172c4bed1e37a5c88eff1bfc93c

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe

Filesize
2.7MB

MD5
8311c150c83ab5bbf1bc1a3f0f39f91e

SHA1
f0537e780012ff77b20e16ad5eeff6ae01cdc453

SHA256
b042031d5e0d857c523dcd9e3844c1a7e205962ae1e797ea4bc37f0dc17b14f9

SHA512
f4a742725be962b5f6b5af1d0e5c0ef95d10a7630c77c7f836c07094a3f50c360f75b5bee2e49e94c919f0a011bf932bc92f4a48bd85e44183c429c4449776c7

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe

Filesize
2.9MB

MD5
adfb20902292e7f559471a177e34766b

SHA1
6b267e086278091569eba78a6831ef0f0ff54e94

SHA256
62032b3e368b8a24733e1bfe1069bb8686172e1cae2fc71b6842285aca356b97

SHA512
e12a498e9b65600234e5088295090fc3008af030c05cb9728c3a8b4dcbdd81324a14e3f47db480c8560f75d4ca3d0e7b116d63d0e4be6c457c99fe665cbe94ca

Download Submit
memory/2492-14-0x0000000075B20000-0x0000000075C20000-memory.dmp

Filesize
1024KB

Download
memory/2492-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2492-41-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2492-42-0x0000000075B20000-0x0000000075C20000-memory.dmp

Filesize
1024KB

Download
memory/3048-13-0x0000000002A90000-0x0000000002E35000-memory.dmp

Filesize
3.6MB

Download
memory/3048-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3048-31-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3048-10-0x0000000002A90000-0x0000000002E35000-memory.dmp

Filesize
3.6MB

Download
memory/3048-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads