Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
c419fe06ea7b0fa2cc3b25be24aa06cf
-
SHA1
dd431a4c1a0b365c75ad2256e82c21c34f25b48e
-
SHA256
a5cecffec2a9960a167552ffb83b5ebba01dde5131337070ff719c23abeb897e
-
SHA512
3de98ec264b384af9f0930f9772435fc5b1ace2773650fc43f11731730086e3d152a8bcf75bd3348ab9415a3a36b175cc763d2673a1fe0a10138501a78798f51
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nb:DBIKRAGRe5K2UZP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
f761297.exepid process 2492 f761297.exe -
Loads dropped DLL 9 IoCs
Processes:
2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exeWerFault.exepid process 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2736 2492 WerFault.exe f761297.exe -
Processes:
f761297.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 f761297.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde f761297.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exef761297.exepid process 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe 2492 f761297.exe 2492 f761297.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exef761297.exedescription pid process target process PID 3048 wrote to memory of 2492 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe f761297.exe PID 3048 wrote to memory of 2492 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe f761297.exe PID 3048 wrote to memory of 2492 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe f761297.exe PID 3048 wrote to memory of 2492 3048 2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe f761297.exe PID 2492 wrote to memory of 2736 2492 f761297.exe WerFault.exe PID 2492 wrote to memory of 2736 2492 f761297.exe WerFault.exe PID 2492 wrote to memory of 2736 2492 f761297.exe WerFault.exe PID 2492 wrote to memory of 2736 2492 f761297.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_c419fe06ea7b0fa2cc3b25be24aa06cf_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761297.exe 2593962472⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 6083⤵
- Loads dropped DLL
- Program crash
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5f3ea0ffaab6e1c9ee4398701c19921ad
SHA171ea92132c1d8116848ffa1daf5ae3dfadf40ffc
SHA256e0ea0bdfcd9d4d3aa24502fc1df955c29332ec854e750e8d03f926b82c5b4059
SHA512cc6d67940d0eea2e5b84f88d893c44fb009c2865cee78f2d0d9ee308ad422e77a6c4f76c9d0bf58b87d00ddcac4da128bce5e0b3bf2551cd7b1eabf8310a1d0c
-
Filesize
2.2MB
MD56af4138610308c138d635da81eff6d0c
SHA1497b41b0b8749d657654158c3ca3c3369f719a20
SHA256da2075c35af712ab538f759bc04a4a17f75fab52301deae2fbd1b2f165a5b5e4
SHA512ee6566621a1c59e7a8fd512fe481c8bf817fbe7400b504797e2c0fb0790a09180000bc2947dbeac6f7cb937cce2942ffda3f6172c4bed1e37a5c88eff1bfc93c
-
Filesize
2.7MB
MD58311c150c83ab5bbf1bc1a3f0f39f91e
SHA1f0537e780012ff77b20e16ad5eeff6ae01cdc453
SHA256b042031d5e0d857c523dcd9e3844c1a7e205962ae1e797ea4bc37f0dc17b14f9
SHA512f4a742725be962b5f6b5af1d0e5c0ef95d10a7630c77c7f836c07094a3f50c360f75b5bee2e49e94c919f0a011bf932bc92f4a48bd85e44183c429c4449776c7
-
Filesize
2.9MB
MD5adfb20902292e7f559471a177e34766b
SHA16b267e086278091569eba78a6831ef0f0ff54e94
SHA25662032b3e368b8a24733e1bfe1069bb8686172e1cae2fc71b6842285aca356b97
SHA512e12a498e9b65600234e5088295090fc3008af030c05cb9728c3a8b4dcbdd81324a14e3f47db480c8560f75d4ca3d0e7b116d63d0e4be6c457c99fe665cbe94ca