Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
44f7c2d17f426caebb6f5ebf16cff96e
-
SHA1
20efbc61e54130facfa91cf757e2888b076f657e
-
SHA256
499a2d0ac164f8efce97c01f80c980d7e7e25de6e69ce0a44d03d022d5c69c2a
-
SHA512
9d9f762d9b58124d7b1e89f7ba49a66560b5aff563ecd42fa9bf083c0580110bc70aa860c083540212cf93f6073c9bdfd97f76834cecdf629a2988779c38d602
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N/:DBIKRAGRe5K2UZT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2428 f768cf4.exe -
Loads dropped DLL 9 IoCs
pid Process 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2524 2428 WerFault.exe 28 -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 2428 f768cf4.exe 2428 f768cf4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2428 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 28 PID 2212 wrote to memory of 2428 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 28 PID 2212 wrote to memory of 2428 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 28 PID 2212 wrote to memory of 2428 2212 2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe 28 PID 2428 wrote to memory of 2524 2428 f768cf4.exe 30 PID 2428 wrote to memory of 2524 2428 f768cf4.exe 30 PID 2428 wrote to memory of 2524 2428 f768cf4.exe 30 PID 2428 wrote to memory of 2524 2428 f768cf4.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_44f7c2d17f426caebb6f5ebf16cff96e_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f768cf4.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f768cf4.exe 2594275872⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 6003⤵
- Loads dropped DLL
- Program crash
PID:2524
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD59b377d5f43885d5bdecf8489676a3b01
SHA17abfacc647f88364aba2e1fb46dcd6e33c7d0b69
SHA25698bfd272141531a0dc0a3250395b0d35e4009064130d822fbacc16a90dca8101
SHA51240cbc18453cc717ac0b0bfddea99011a7985f6fe9ba60a9e9d553335702995a8632b3248478cafa8ee88984a3e5f56fefcb7bd226520a674b319b3c28092099e