e623d4f88caa0f28c9402e64e227ebb0ff30daa0dffb737f9fd3ecadc456c771

Analysis

max time kernel
40s
max time network
65s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
Size

3.2MB
MD5

29ef68b78e9ca456fc42c800cc2c5a99
SHA1

e23f23ab8c9ed6dc1168cc3e8ca12b11cc8643ed
SHA256

e623d4f88caa0f28c9402e64e227ebb0ff30daa0dffb737f9fd3ecadc456c771
SHA512

840267ac3779426bf2d701e599b4ed50e4ddfc2041d388c5321b7cc356f0106fbc9dbba50844e5d92669e39f3077dd50922d6b8616a2b9840eef330195571afd
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NV:DBIKRAGRe5K2UZx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2524	f77b6a2.exe

Loads dropped DLL 9 IoCs

pid	Process
2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2692	2524	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f77b6a2.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
2524	f77b6a2.exe
2524	f77b6a2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2524	2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe	30
PID 2780 wrote to memory of 2524	2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe	30
PID 2780 wrote to memory of 2524	2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe	30
PID 2780 wrote to memory of 2524	2780	2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe	30
PID 2524 wrote to memory of 2692	2524	f77b6a2.exe	32
PID 2524 wrote to memory of 2692	2524	f77b6a2.exe	32
PID 2524 wrote to memory of 2692	2524	f77b6a2.exe	32
PID 2524 wrote to memory of 2692	2524	f77b6a2.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_29ef68b78e9ca456fc42c800cc2c5a99_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77b6a2.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77b6a2.exe 259503809
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 596
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77b6a2.exe

Filesize
3.2MB

MD5
894388247c62957bf8390ffaf2092006

SHA1
491bebf0732256ef78131680b3073f08bc338624

SHA256
8f66f071cd1ca3683ff8257a90725f3c10fe84c1d51e308c317621f6eb8ee568

SHA512
47f427db22acfb75171055bec724e57bdd55006fbee2ed7f88081b0bfc684ac5c86934dcaed5ba8852394ce4c5749afb04d114def6cc158cb6ddfd55116d7ca8

Download Submit
memory/2524-13-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2524-14-0x000000007618D000-0x000000007618E000-memory.dmp

Filesize
4KB

Download
memory/2524-44-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2524-45-0x000000007618D000-0x000000007618E000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2780-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2780-12-0x0000000003100000-0x00000000034A5000-memory.dmp

Filesize
3.6MB

Download
memory/2780-11-0x0000000003100000-0x00000000034A5000-memory.dmp

Filesize
3.6MB

Download
memory/2780-33-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download