Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
23fe17a3d65d3be7daff0c7d5b564c68
-
SHA1
2492d33cb0bdccb3de7906575ce6659a1cc57205
-
SHA256
d177c1b0ed91867e218fdd2b20246ff0e30b2d340c62b2db50ca4cb7168bcb6d
-
SHA512
6f267b50a9843b06b60f4a921944d4ae8a5f00af0fbfa2dbdee0a69ed65570f1164fd2559a6238240f51002e57b72149ad7e352b84f67b147c6ca3dfb778d17b
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nx:DBIKRAGRe5K2UZt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
e58291e.exepid process 4340 e58291e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3684 4340 WerFault.exe e58291e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exee58291e.exepid process 1504 2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe 1504 2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe 4340 e58291e.exe 4340 e58291e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exedescription pid process target process PID 1504 wrote to memory of 4340 1504 2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe e58291e.exe PID 1504 wrote to memory of 4340 1504 2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe e58291e.exe PID 1504 wrote to memory of 4340 1504 2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe e58291e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_23fe17a3d65d3be7daff0c7d5b564c68_hacktools_xiaoba.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e58291e.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e58291e.exe 2406587342⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 20563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4340 -ip 43401⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e58291e.exeFilesize
3.2MB
MD5555321ed94a1acf1156a44ca19cf1094
SHA1d88d6b58a6643a52c6cbe67c97f74d4618af3466
SHA2564dde5b302e1b3f69890aab39fb429a060810af114f0b7e03b4f35e31561f3437
SHA512f1683e0385bd961c63f8b67d6a568c7d702238e1a681af7abefe8feb652969a49e8f5e4d26ed4c35880a3c4179e37bed8f788df50d855f89c2241db635df96b4
-
memory/1504-0-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/1504-1-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/1504-7-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/4340-19-0x000000007781A000-0x000000007781B000-memory.dmpFilesize
4KB
-
memory/4340-23-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB