Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
cee3aac99a30190dd74806a2c4154686
-
SHA1
e8eb1e01a6e3b9e7dae0359d1cf026cddc63a90d
-
SHA256
e8cf530d89bd77bd428a8167c8999cad3dd22844f463b60f5e52219b8752dc5e
-
SHA512
3f59e0b67c6aaeb08a50ca835b54cb27f7910b5461b9b2f630e7e1b860cf4c622fd6ddb7c4682a86355e90e5dede02f3dcc88c8cd9017a8cfe6c9202de63cba7
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N1:DBIKRAGRe5K2UZJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2996 f7622dc.exe -
Loads dropped DLL 9 IoCs
pid Process 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2548 2996 WerFault.exe 28 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 f7622dc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde f7622dc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 2996 f7622dc.exe 2996 f7622dc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2996 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 28 PID 2924 wrote to memory of 2996 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 28 PID 2924 wrote to memory of 2996 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 28 PID 2924 wrote to memory of 2996 2924 2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe 28 PID 2996 wrote to memory of 2548 2996 f7622dc.exe 30 PID 2996 wrote to memory of 2548 2996 f7622dc.exe 30 PID 2996 wrote to memory of 2548 2996 f7622dc.exe 30 PID 2996 wrote to memory of 2548 2996 f7622dc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-28_cee3aac99a30190dd74806a2c4154686_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7622dc.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7622dc.exe 2594004282⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 6003⤵
- Loads dropped DLL
- Program crash
PID:2548
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD58fcfad2df522d8420f2585f3e29577b2
SHA122760d6a62d0436b10c698f6c6bd501f5e618c86
SHA25636088d7ff48f8e39d0b14f4896eeaa711446756beb530af3a250b4461c86e008
SHA512854ca2c659b046bfc019134be8be65049150be4951dfcd4195ba7b7a7fea0b50de61cf5479cb7278f76a36e0f0a759f72499aa7d6490b2197c1dea5a4b4e9322
-
Filesize
2.7MB
MD57efa25da09e3586173ea2c32f353e63b
SHA17eb77ddad5cec1c155fdc12ca63775270f1ab19b
SHA256efa7717c09e1eac578476093787848b8fdde6ec51b5442560f2e5e2071511cf1
SHA512c5695268ecaee263e968ea4c99cd1983fa85557457b93f275266fff945e8d687694fab691a285775ddd931af69fb60dd2a046a387e4fc1ac0b88c8288f3d9daa