c073d01bff6e952c4f878251154cc6a62546ba5da48cc13e6ca0f6ccbdea64a0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 10:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
Size

3.2MB
MD5

1fc2cd904622d822a2fed4ce6fa93642
SHA1

0455aede6e34b8650c0db0cae089e87435be2a0c
SHA256

c073d01bff6e952c4f878251154cc6a62546ba5da48cc13e6ca0f6ccbdea64a0
SHA512

f3856697f5246c0fcac51a0914232c372bf452881964c020f2c8202dc04f19bb039943782f59de0ccfd0f7c02dee1263e6077c4952229170454736bd8e8ab02f
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NV:DBIKRAGRe5K2UZp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1084	f77eafb.exe

Loads dropped DLL 9 IoCs

pid	Process
1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2412	1084	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f77eafb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
1084	f77eafb.exe
1084	f77eafb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1084	1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe	29
PID 1756 wrote to memory of 1084	1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe	29
PID 1756 wrote to memory of 1084	1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe	29
PID 1756 wrote to memory of 1084	1756	2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe	29
PID 1084 wrote to memory of 2412	1084	f77eafb.exe	31
PID 1084 wrote to memory of 2412	1084	f77eafb.exe	31
PID 1084 wrote to memory of 2412	1084	f77eafb.exe	31
PID 1084 wrote to memory of 2412	1084	f77eafb.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_1fc2cd904622d822a2fed4ce6fa93642_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77eafb.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77eafb.exe 259517179
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1448
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f77eafb.exe

Filesize
3.2MB

MD5
1f3ba83db0afbb536a5bb65304c392bf

SHA1
5c6132d0f336c78fa5eed9f11aa07aa8df497254

SHA256
55fcccec18e891e97e543a1e6006f20f4fc936ecf6eeeb74b832ca86c7786938

SHA512
ae565832f811cc4a3759dba6ea7f6a6aab3e076e19c03520fb44cab16f72c077cbe7ab52b2f931e66931eafc0c228892a6690d12f44c7c360fca963cfa9ad8b0

Download Submit
memory/1084-13-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1084-14-0x000000007720D000-0x000000007720E000-memory.dmp

Filesize
4KB

Download
memory/1084-37-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1084-38-0x000000007720D000-0x000000007720E000-memory.dmp

Filesize
4KB

Download
memory/1756-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1756-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1756-9-0x0000000002EC0000-0x0000000003265000-memory.dmp

Filesize
3.6MB

Download
memory/1756-10-0x0000000002EC0000-0x0000000003265000-memory.dmp

Filesize
3.6MB

Download
memory/1756-15-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download