Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-08-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
4b1f2a3dadaa9ae88cc38d747ad1ba6c
-
SHA1
4c6517f7bb0496b6d53a8de8b52e0bbb94e5a997
-
SHA256
f4403ff06b2d96213b840bff2b198af79f6051c7f36d798fdd5ab878f631ffef
-
SHA512
4315d6c29d190c237e6c2b5c1b5bba232690c6e5748cca89a559a37f63c3b4e882a434acc7b80e1ccb3445ced50878e4edd74aa9a65a5e17280abc42845ee2e1
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Ns:DBIKRAGRe5K2UZA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1672 f76c4c5.exe -
Loads dropped DLL 9 IoCs
pid Process 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2660 1672 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c4c5.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 1672 f76c4c5.exe 1672 f76c4c5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1672 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 30 PID 2524 wrote to memory of 1672 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 30 PID 2524 wrote to memory of 1672 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 30 PID 2524 wrote to memory of 1672 2524 2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe 30 PID 1672 wrote to memory of 2660 1672 f76c4c5.exe 33 PID 1672 wrote to memory of 2660 1672 f76c4c5.exe 33 PID 1672 wrote to memory of 2660 1672 f76c4c5.exe 33 PID 1672 wrote to memory of 2660 1672 f76c4c5.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-10_4b1f2a3dadaa9ae88cc38d747ad1ba6c_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76c4c5.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76c4c5.exe 2594418612⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 14563⤵
- Loads dropped DLL
- Program crash
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD584826d32e92a4bfe0565c66f9a85e9ef
SHA1e0c34584b7a4d9522009debb33944129f57e6db8
SHA2566575b25936df396abe5ce4f5f700f89eefd15cd79adb70f6cc83bbf874909f4c
SHA5125025f812b0040fba04dc16b8c52be36f5310aab5edfc3edbfcbf89716fa8b4f480efa9c3e9941ae15f1660add88efce4b2f60790f1e4da69141bbd3b71326d05