Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
497a1f36c93f4e7e05c6310f5a2f16ef
-
SHA1
90c17bbbf34f8920ac5d617c1da383d515d1212a
-
SHA256
a850fd3484fe4f09543dc58b9abc3ab31bce178255c4cc1614dff6317eaa5f09
-
SHA512
2c02f6c7300d3a24f903c0664439d00f00e3b84366c71ad7b711c9fbe4591a9deec70842d9e80c626ddc398faf89521159bd6df4c4972fa9f2fd7b2750822744
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N6:DBIKRAGRe5K2UZW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
f767fe9.exepid process 2600 f767fe9.exe -
Loads dropped DLL 9 IoCs
Processes:
2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exeWerFault.exepid process 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2844 2600 WerFault.exe f767fe9.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exef767fe9.exepid process 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe 2600 f767fe9.exe 2600 f767fe9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exef767fe9.exedescription pid process target process PID 3008 wrote to memory of 2600 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe f767fe9.exe PID 3008 wrote to memory of 2600 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe f767fe9.exe PID 3008 wrote to memory of 2600 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe f767fe9.exe PID 3008 wrote to memory of 2600 3008 2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe f767fe9.exe PID 2600 wrote to memory of 2844 2600 f767fe9.exe WerFault.exe PID 2600 wrote to memory of 2844 2600 f767fe9.exe WerFault.exe PID 2600 wrote to memory of 2844 2600 f767fe9.exe WerFault.exe PID 2600 wrote to memory of 2844 2600 f767fe9.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_497a1f36c93f4e7e05c6310f5a2f16ef_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767fe9.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f767fe9.exe 2594243432⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 15083⤵
- Loads dropped DLL
- Program crash
PID:2844
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD538d4428a35a5cbff0b1e17c1f599a3c9
SHA1408d084b6fd73ea9c27c98c4c3f2974eaf03ac45
SHA256b90ecc9b82b5b10ed6d3b562c595ca0f603a2e1b8f9534c1e7f103fb157ddf37
SHA51283cdcf1fa6153043b36d01c388f18f3e135655c93e7fbe80825ffa2ef6b741e9d31dae704b01662d66379fd03a8ff61ca98bb24c82d4b7d7654f5f7ef1e1b246