6b1cb3c11e13697c2d82a83cc7a72a0c12814d275f23143048d69bc748088b5f

General

Target

2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe
Size

3.2MB
MD5

cd37fef2ca7c05589f2a3d57808fecfb
SHA1

50a67eef675c6dff3f808d536c2fc9450a240fdc
SHA256

6b1cb3c11e13697c2d82a83cc7a72a0c12814d275f23143048d69bc748088b5f
SHA512

1d173b4f099a6bc1859a3a9aec8950ad88b16f37aff2f2e926b6f700dc431d9e8143455dbc1ae72b2a2ab8f1a19107e05bb9a1d6042666ac52961d1d4e98c70d
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N+:DBIKRAGRe5K2UZK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	f761f24.exe

Loads dropped DLL 9 IoCs

pid	Process
2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe
2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2720	WerFault.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	f761f24.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	f761f24.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe
2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe
2720	f761f24.exe
2720	f761f24.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2720	2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe	28
PID 2896 wrote to memory of 2720	2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe	28
PID 2896 wrote to memory of 2720	2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe	28
PID 2896 wrote to memory of 2720	2896	2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe	28
PID 2720 wrote to memory of 2504	2720	f761f24.exe	30
PID 2720 wrote to memory of 2504	2720	f761f24.exe	30
PID 2720 wrote to memory of 2504	2720	f761f24.exe	30
PID 2720 wrote to memory of 2504	2720	f761f24.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_cd37fef2ca7c05589f2a3d57808fecfb_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761f24.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761f24.exe 259399460
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1456
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761f24.exe

Filesize
3.0MB

MD5
77a3d8056b65f6fbe8c4241b6227f8a5

SHA1
4eaa96a4981a9a10949748fdf117209415e9a021

SHA256
e87d1103445e86f386cc13d2e82619a0e9c9cb6d30b69b30521a3539f4eed6e9

SHA512
c4b01bced8e50e53029c7f393c1fe7f186683faa7e7f3a3b4985d6cf53f6f3331d355e51c0be9febe283675737e40b25f84c3ff0333ccd0de61ce860ccef064f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761f24.exe

Filesize
3.2MB

MD5
6a6de3e0b1fcb80c318fcf74332f9e2b

SHA1
c8c303358247f09c020b2a71fca51f953136f53f

SHA256
f82325a5f8511de4b6219767f16c5677e9af5525afb702847768a1e79dde4c09

SHA512
10f9c21823bc715adf274fcca2396b167543652198f82235e8878ca59ae45154eec79fbe11652fa10370c9b0b1bef2d12482465cf23d203bdfe99dcedd4bb0a2

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f761f24.exe

Filesize
2.1MB

MD5
267535a908d71f56427a89d4ebea7d30

SHA1
a1a4c3d3a502f0dae554f45fca6e977c502916f6

SHA256
ba19fa9e033d6ce0edcc0760848e8c739f2bf94cc395d9b88a0bf25f9ac620ed

SHA512
9c16033f423e92580f99c1ff5d0a2e4dc87030f45e8bdf41f88bf100d525b9501e13dc9301ec6c8ef2978e3db8627e79c6c5404839da651a163f97da107e35e3

Download Submit
memory/2720-13-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2720-14-0x00000000767D0000-0x00000000768D0000-memory.dmp

Filesize
1024KB

Download
memory/2720-41-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2896-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2896-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2896-12-0x0000000002AD0000-0x0000000002E75000-memory.dmp

Filesize
3.6MB

Download
memory/2896-11-0x0000000002AD0000-0x0000000002E75000-memory.dmp

Filesize
3.6MB

Download
memory/2896-15-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing