1f2db29c2cce3dd181134d1ee644faf07cc39ba079ce69152b45c4703b19f472

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 03:56

Target

2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe
Size

3.2MB
MD5

d4da04d17ba24e70509b71c4b1a51a2d
SHA1

8bac4020a4b7513aec111daca0e5e7a7fe9c02b5
SHA256

1f2db29c2cce3dd181134d1ee644faf07cc39ba079ce69152b45c4703b19f472
SHA512

7cb613be047f06f80304de4b429b98bf434194215204ae3a2ef54061183031551693363b9179b88e70fa6775207f075b7e738aec191f4234c42877e06161c10a
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NF:DBIKRAGRe5K2UZx

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2140	f7638fb.exe

Loads dropped DLL 9 IoCs

pid	Process
2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe
2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2464	2140	WerFault.exe	28

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe
2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe
2140	f7638fb.exe
2140	f7638fb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2140	2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe	28
PID 2368 wrote to memory of 2140	2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe	28
PID 2368 wrote to memory of 2140	2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe	28
PID 2368 wrote to memory of 2140	2368	2024-05-25_d4da04d17ba24e70509b71c4b1a51a2d_hacktools_xiaoba.exe	28
PID 2140 wrote to memory of 2464	2140	f7638fb.exe	30
PID 2140 wrote to memory of 2464	2140	f7638fb.exe	30
PID 2140 wrote to memory of 2464	2140	f7638fb.exe	30
PID 2140 wrote to memory of 2464	2140	f7638fb.exe	30

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7638fb.exe

Filesize
3.2MB

MD5
4ece4e176293b4152172a0dd91de9a4b

SHA1
aed19c5e7a9c6b0b5dfaec4e04b41d437582926c

SHA256
2335cf2433eba84f6cd10fcc6eba957bc0d3a54757a0badfc930c522a0dfb92d

SHA512
e36757fb2f8a6b1265d4c8f6eb81dfffb3982b13064aeaa807c42a76d713cc16be8412ca4b6a5c911f4567c321e33adac7927841964f45804c12702794de1f27

Download Submit
memory/2140-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2140-14-0x000000007598D000-0x000000007598E000-memory.dmp

Filesize
4KB

Download
memory/2140-44-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2140-45-0x000000007598D000-0x000000007598E000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-11-0x0000000002B50000-0x0000000002EF5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-33-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download