5ce5c29924e6db3d039723a08e2881b96d9c01ecf5b52a5a23f1d40d3d4f7bb9

General

Target

2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe
Size

3.2MB
MD5

1c89b48c7cf873c4dfed148149c5508e
SHA1

913c573dd4df49d49da1befbf41c67a552579f7e
SHA256

5ce5c29924e6db3d039723a08e2881b96d9c01ecf5b52a5a23f1d40d3d4f7bb9
SHA512

984765b336ee567860e144fb0750318444bde0308ab9cf2f759659963468623aa8244983dd8a91e26a0c11cd044b4a8689c751f561745b940ea499095d1a4adf
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nm:DBIKRAGRe5K2UZi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	f7629bf.exe

Loads dropped DLL 9 IoCs

pid	Process
2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe
2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	3056	WerFault.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	f7629bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	f7629bf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe
2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe
3056	f7629bf.exe
3056	f7629bf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3056	2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe	28
PID 2976 wrote to memory of 3056	2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe	28
PID 2976 wrote to memory of 3056	2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe	28
PID 2976 wrote to memory of 3056	2976	2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe	28
PID 3056 wrote to memory of 2408	3056	f7629bf.exe	30
PID 3056 wrote to memory of 2408	3056	f7629bf.exe	30
PID 3056 wrote to memory of 2408	3056	f7629bf.exe	30
PID 3056 wrote to memory of 2408	3056	f7629bf.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_1c89b48c7cf873c4dfed148149c5508e_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe 259402190
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 616
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
3.2MB

MD5
02f340b60c05333ed60c72b868d26ae4

SHA1
c76a83b86fbadc2d948746b4556c669720bb4e57

SHA256
6057a916ab58c3481af9797f7c28cf099438e8d2d105532cb3040e5bb1622baf

SHA512
6979283eb848a1485aefd305226df264c092764648d9e7668ac6ac8d509146aef3503cac4eba26cd53b372219ec1ba63ee5420af45c90e4f2014761b0d0a8832

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.1MB

MD5
b03deac11cd3de19339ac6e833d78f71

SHA1
f34295cbefe274e478f99c8000c3bc833f06769e

SHA256
d1fe9b5fc1085b4ea767c1e05e5d752e1ac75a3db506f0104479442bbd6ff01f

SHA512
ea5d156e32b7bc3fd7d004cc9d87f029cbec89c18e7fe03cfbe831d83125cfc332ef860a6487a34809e6e01610c1eaab45c5af8a03f5890012d699af76b32178

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.3MB

MD5
30e3cb9dafba5d40da7ae64fe1289915

SHA1
6257043a9868cb7aa92bff6635adf8259752f149

SHA256
36bbc2621b5099329a47b24f379587c1b6cd43b39d2b962953a4e191cc4bde01

SHA512
63503548d3c600965b81fd546c20d6fcd6b1eb570eed75938c64db836aadc4372fb8cd7ed8ce66644f43a5a04a32f36fd0ac9b7ee3e023bc501467d4de1bf5b0

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.7MB

MD5
1ef65755b32b6aff0f06c9fd340c18e6

SHA1
0d5ed6d9ee081a2c0ae5e55f27b9ffbc5c0faa81

SHA256
8036b2e0d152fae8117c056568e6f11fa497597407a1a1b1446609587fa0cca3

SHA512
13a1a3c2e44a024246ac0e9c225e6db20a75116bb7b7c9bad56222dc50006e09506bbcd3454a06cc723a6c851efb36a95177dbd98ed953c19d0917e253a9c843

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.2MB

MD5
cd374fed4a413440a62dd9b1e29b3493

SHA1
f8ab130d3e0b78e08196e17c33f8351d59c22573

SHA256
4cb65b482948ba1e9b835fc341ea569ee0b64e1b2dbf3592fca05c30c8edc23a

SHA512
656a1014d367c7e87e7d5e9f7c95d3e763e4fb47b8fbdac7c9fc1d1e98dcddd7870b950a0f7aa2c1ce043f1848fcc543c64269e40c03a08a5ec7179dcdaaa669

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.5MB

MD5
007680f629fa1335258b6859f09fdb64

SHA1
4442d817834f14e9c673d706affd73e7dec543e1

SHA256
a0b242a3a50c514509ebca43dacc23f9849875704fee108f4e457446803226bc

SHA512
6636011ab93badc723d14f85f0efb74ebd628a1e9bd1c2b64c6d94d9953e9bacfaac05051b02a31d1eeaf8e45f3d877d36c2296694152c9538b7f1a35a0645ef

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.7MB

MD5
f1e88b771b1505b52a7a4f87ea80ad9e

SHA1
71d2f21a378f76d1d153908c0061ca8ab3a1de7a

SHA256
5b2800f39e36119656ea23b04d2783764949f9e9a2241a166268cc141041729d

SHA512
0c65af16689fc3cbe49505e489549e318939bfce40eb06976430ebb9d960d6ec4bb75ade0f0cfda446b64472e268917edd9a97287c84c6cac9027840bceab80a

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7629bf.exe

Filesize
2.5MB

MD5
c5f65667be93e2d688bc0b6fadf38f2c

SHA1
4dfb76f1b39088cc1f96b16e68c948dde88a0b1a

SHA256
cd6c6fc1e0122697758315c10bf9504edb97a3b7451dc454e7708ca09f80194b

SHA512
9484d189abb2fb63099a11a65995c176d82fe6cf8ac4c0c3f79370067867b960be77bc863a4dc466be1ea06e2c33a94d6664d55d15c0f8875978eac87904e8c6

Download Submit
memory/2976-32-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2976-12-0x0000000002C90000-0x0000000003035000-memory.dmp

Filesize
3.6MB

Download
memory/2976-11-0x0000000002C90000-0x0000000003035000-memory.dmp

Filesize
3.6MB

Download
memory/2976-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3056-13-0x00000000757B0000-0x00000000758B0000-memory.dmp

Filesize
1024KB

Download
memory/3056-40-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing