f5ee125b85436e12b0dd46a6033944562400c1cb5785fdcf8821f77e987bf5f9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
Size

3.2MB
MD5

8e1287edc06b4ec990bbec75ca6efd40
SHA1

3b212e38d16a0124b70ddbc88e9ea193b0c5189a
SHA256

f5ee125b85436e12b0dd46a6033944562400c1cb5785fdcf8821f77e987bf5f9
SHA512

765227ec2f038ebf3c2b5f62ab829ca3aa65b2577c1378b0e161cc5136e69d4cd9a387b0cf2ce04e02f2dd49677865c2c105772a8a3c0eb26ddda81d0a7eed1b
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N8:DBIKRAGRe5K2UZI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	f76cb4b.exe

Loads dropped DLL 9 IoCs

pid	Process
2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2836	2112	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f76cb4b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
2112	f76cb4b.exe
2112	f76cb4b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2112	2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe	30
PID 2368 wrote to memory of 2112	2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe	30
PID 2368 wrote to memory of 2112	2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe	30
PID 2368 wrote to memory of 2112	2368	2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe	30
PID 2112 wrote to memory of 2836	2112	f76cb4b.exe	33
PID 2112 wrote to memory of 2836	2112	f76cb4b.exe	33
PID 2112 wrote to memory of 2836	2112	f76cb4b.exe	33
PID 2112 wrote to memory of 2836	2112	f76cb4b.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_8e1287edc06b4ec990bbec75ca6efd40_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76cb4b.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76cb4b.exe 259443531
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1452
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76cb4b.exe

Filesize
3.2MB

MD5
dd33ada2de080230a0190c91b380cf9e

SHA1
41d2510d4412a2ea464e5b2852fea0b5c41d8632

SHA256
5e08b57da7ed5e097404c2d64092f1abf276e8c2995b9a627618dd267be5b8f8

SHA512
e82d12d050c1791e02933a91bd1a25e9f97fa4640e123eb5c3416dbdde2de6b21b49461c6a0e0962759c4108ff566b3274b379aa4f7c1800460dcbc7917b2514

Download Submit
memory/2112-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2112-14-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2112-42-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-13-0x0000000002F10000-0x00000000032B5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-11-0x0000000002F10000-0x00000000032B5000-memory.dmp

Filesize
3.6MB

Download
memory/2368-15-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download