Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 20:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
ae2863f255bf3743c1b46f72f7573b7b
-
SHA1
e946146f630bcbda27b84212d78f0ab1057bd4c6
-
SHA256
2988ed74b1814b0d04f80f10edd7bd6b51992963c6d68167df412086f78fd0c3
-
SHA512
0685a4420c4708ae632ce85f0e4b12ec18f81b48d979d98cc7896cbdb05861384df2de52496564137b875b33bf8452ea09611a8d9e62718900c45586e6a67724
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NF:DBIKRAGRe5K2UZJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1764 f7621c3.exe -
Loads dropped DLL 9 IoCs
pid Process 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 2784 WerFault.exe 2784 WerFault.exe 2784 WerFault.exe 2784 WerFault.exe 2784 WerFault.exe 2784 WerFault.exe 2784 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2784 1764 WerFault.exe 28 -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 1764 f7621c3.exe 1764 f7621c3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2740 wrote to memory of 1764 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 28 PID 2740 wrote to memory of 1764 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 28 PID 2740 wrote to memory of 1764 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 28 PID 2740 wrote to memory of 1764 2740 2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe 28 PID 1764 wrote to memory of 2784 1764 f7621c3.exe 30 PID 1764 wrote to memory of 2784 1764 f7621c3.exe 30 PID 1764 wrote to memory of 2784 1764 f7621c3.exe 30 PID 1764 wrote to memory of 2784 1764 f7621c3.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-19_ae2863f255bf3743c1b46f72f7573b7b_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7621c3.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7621c3.exe 2594001312⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 6003⤵
- Loads dropped DLL
- Program crash
PID:2784
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a64aaec961850d1618aaedcbe79ce0c9
SHA11db7b5f3737467bbee19280a5778c7410348db80
SHA2564f00a2f484d05eec67e691e4c8249276889cd0712c4b2e99c345a4f064304dab
SHA5123c8bf2d89c0cbef70335d1d5fdbebf8d29646dd5f4c4f8b17face8b0c10926a270cf0caaaf44bc73185b311d37b7f823d6863d584712e78a2f6d3c58dab6be7f