Analysis Overview
SHA256
79a0ea8711cd6bb5be07a0bc3630a4c58177501267ffa02492988e073e8c0251
Threat Level: Shows suspicious behavior
The file 2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-31 15:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 15:52
Reported
2024-05-31 15:55
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe"
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe 259400646
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| GB | 163.171.146.42:80 | www.ip138.com | tcp |
| GB | 163.171.146.42:443 | www.ip138.com | tcp |
Files
memory/2932-1-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2932-0-0x0000000000400000-0x00000000007A5000-memory.dmp
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7623b6.exe
| MD5 | 55cc7683717d69be9952c55b111cabc5 |
| SHA1 | a930700beac12a19bfa97462dd6ff508e0675e1c |
| SHA256 | df70c36f2ab8a332417564da35ff6ce62c1dae060b9f0d3969d536a88d4fdf8c |
| SHA512 | a62a2066658cfb92892f2bf7c1f9791ff772567940aee24e58b602b4fcd5b703603050fe9676ffbade55a28986a5539d23b8f001c00076dd0446e401a0246c99 |
memory/2452-11-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2452-13-0x000000007699D000-0x000000007699E000-memory.dmp
memory/2932-12-0x0000000002A60000-0x0000000002E05000-memory.dmp
memory/2932-32-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2452-43-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/2452-44-0x000000007699D000-0x000000007699E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 15:52
Reported
2024-05-31 15:55
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe |
| PID 3604 wrote to memory of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe |
| PID 3604 wrote to memory of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe | C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fba5952c01ddfadc5498bd31d77dcd73_hacktools_xiaoba.exe"
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe 240646000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 100 -ip 100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 2052
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| GB | 163.171.129.134:80 | www.ip138.com | tcp |
| GB | 163.171.129.134:443 | www.ip138.com | tcp |
| US | 8.8.8.8:53 | 134.129.171.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
memory/3604-0-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/3604-1-0x0000000000400000-0x00000000007A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57f760.exe
| MD5 | 7c9bd7c4f0728d414eda5b336ada4f08 |
| SHA1 | d4f7692fd2d5324a02dd112c3fb91219d9763db2 |
| SHA256 | 2be76055be03f5c487a47cd999957678687732daad50bfbae1a3ddc1b5f2f2f5 |
| SHA512 | 7e34d0126fa1050dad56619abea51631470ed043928c741b322934f65b9ac35b375038277443418af9c095a72c87143430c1866e3332693e399780b673df0011 |
memory/3604-7-0x0000000000400000-0x00000000007A5000-memory.dmp
memory/100-17-0x000000007589A000-0x000000007589B000-memory.dmp
memory/100-21-0x0000000000400000-0x00000000007A5000-memory.dmp