d060b669be8c266898f30f2432e6e9969cbc4a133bbf6a8e454ba956c8f029ff

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
Size

3.2MB
MD5

694c45647bffc02a07619a7b083820ab
SHA1

19923f0f5ca2822b6c71d23532b9e15dc94c8110
SHA256

d060b669be8c266898f30f2432e6e9969cbc4a133bbf6a8e454ba956c8f029ff
SHA512

8459cf4812447c8b08077099a7acb01d637c77eca9b1e4824ac3b2332104761f85fe64c24f1affe380b1a86a700482e1598f38b9260470ce8f912e841f60660b
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NR:DBIKRAGRe5K2UZt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	f76cffc.exe

Loads dropped DLL 9 IoCs

pid	Process
2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	2340	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f76cffc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
2340	f76cffc.exe
2340	f76cffc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2340	2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe	31
PID 2520 wrote to memory of 2340	2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe	31
PID 2520 wrote to memory of 2340	2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe	31
PID 2520 wrote to memory of 2340	2520	2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe	31
PID 2340 wrote to memory of 2812	2340	f76cffc.exe	33
PID 2340 wrote to memory of 2812	2340	f76cffc.exe	33
PID 2340 wrote to memory of 2812	2340	f76cffc.exe	33
PID 2340 wrote to memory of 2812	2340	f76cffc.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_694c45647bffc02a07619a7b083820ab_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76cffc.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76cffc.exe 259444747
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1456
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76cffc.exe

Filesize
3.2MB

MD5
8f57d1b8aeb60019da08161fbd8ec6f4

SHA1
8b4e62a71d05548fa24df05ab3ed45b64d4e3110

SHA256
ecadb51b3af029da5caceb32b15ba4112e07ac0df044bb13be7d250e5bd26ddf

SHA512
6a89185f84b9ad16ca961f4fa817565f65b6952eeb5ce904a375531f8a38b75bbeb7dcaf04f97234c3cd9d9b5bfd82087b92d668e54f1176b115d0bc4307457d

Download Submit
memory/2340-13-0x000000007559D000-0x000000007559E000-memory.dmp

Filesize
4KB

Download
memory/2340-41-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2340-42-0x000000007559D000-0x000000007559E000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2520-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2520-10-0x0000000002AC0000-0x0000000002E65000-memory.dmp

Filesize
3.6MB

Download
memory/2520-9-0x0000000002AC0000-0x0000000002E65000-memory.dmp

Filesize
3.6MB

Download
memory/2520-14-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download