5762557cb622a7bafc279164c44939a18c6cecd068e4e2b70d4e9f801fb8bcea

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
Size

3.2MB
MD5

b17511e616b41a733de49942d3023f5c
SHA1

b0ebebe50bad980fd565f97e76900214db308caa
SHA256

5762557cb622a7bafc279164c44939a18c6cecd068e4e2b70d4e9f801fb8bcea
SHA512

5627fe719d4700fd6b3dade3888418d8a5869901ad70260840390d65dd1a3cd7391c15d0b65948d8aa108c75b0d90a191b22d8e592fb77879da5fdbcaa0ebd46
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NZ:DBIKRAGRe5K2UZl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2752	f7744dd.exe

Loads dropped DLL 9 IoCs

pid	Process
2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	2752	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7744dd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
2752	f7744dd.exe
2752	f7744dd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2752	2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe	30
PID 2636 wrote to memory of 2752	2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe	30
PID 2636 wrote to memory of 2752	2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe	30
PID 2636 wrote to memory of 2752	2636	2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe	30
PID 2752 wrote to memory of 2992	2752	f7744dd.exe	32
PID 2752 wrote to memory of 2992	2752	f7744dd.exe	32
PID 2752 wrote to memory of 2992	2752	f7744dd.exe	32
PID 2752 wrote to memory of 2992	2752	f7744dd.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_b17511e616b41a733de49942d3023f5c_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7744dd.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7744dd.exe 259474668
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 600
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7744dd.exe

Filesize
3.2MB

MD5
ef77700b3aeb1ac2058ab1c93d1a8ed4

SHA1
d7d5251676fd8b51c789667924eda2d4d5268673

SHA256
2c6d3208b597936cd41d4f80c3f0a8ff257cedf6785e5e72b8a9bc86c990cbd5

SHA512
78f2603abc747de07c9400c3813e6e0243346f3d88b9ed826240db06fae3b62d8e70e38e95aca6154ce3dc394b30b0bf666fee50598a6448e65ebe464c1b518d

Download Submit
memory/2636-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2636-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2636-13-0x0000000002BE0000-0x0000000002F85000-memory.dmp

Filesize
3.6MB

Download
memory/2636-11-0x0000000002BE0000-0x0000000002F85000-memory.dmp

Filesize
3.6MB

Download
memory/2636-36-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2752-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2752-14-0x000000007580D000-0x000000007580E000-memory.dmp

Filesize
4KB

Download
memory/2752-44-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2752-45-0x000000007580D000-0x000000007580E000-memory.dmp

Filesize
4KB

Download