Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
17904bde3b77f4c94b9ff10bd0e91a2a
-
SHA1
82055187573cbd1f98cc53c11f544ad890caacbd
-
SHA256
58b66f87c14bb70b113525667163dde3cc591cf929c0ec978779df184b884f08
-
SHA512
8deb6536b0522668a4adc675b2ffb1cd4a4675c626d9776558a30551ced5320982e8c05b371f0f8515822da928a038bc5e30887d1a2a214ab758665a9923a0a9
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NF:DBIKRAGRe5K2UZJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2328 f77422e.exe -
Loads dropped DLL 9 IoCs
pid Process 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3068 2328 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77422e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 2328 f77422e.exe 2328 f77422e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2328 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 30 PID 1792 wrote to memory of 2328 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 30 PID 1792 wrote to memory of 2328 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 30 PID 1792 wrote to memory of 2328 1792 2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe 30 PID 2328 wrote to memory of 3068 2328 f77422e.exe 32 PID 2328 wrote to memory of 3068 2328 f77422e.exe 32 PID 2328 wrote to memory of 3068 2328 f77422e.exe 32 PID 2328 wrote to memory of 3068 2328 f77422e.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-18_17904bde3b77f4c94b9ff10bd0e91a2a_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77422e.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77422e.exe 2594739982⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 5963⤵
- Loads dropped DLL
- Program crash
PID:3068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5adc69324bc2809edbb6e2361b86ff186
SHA1806172d82ca4d22190d6f0b5d9a8fd993a6a702f
SHA256116a5b5144672e99cdf7a1641c90f1d1b40bf86c4a906a311b66aa01a4ef3607
SHA5120607425ce779e01b0f062fbf824e62d7a412c4ea20e167df130bf8a51979928e333f065f2304b57104512f595eb5823ed108cb1d17290289049a2429cd657f6b