789807b0ca834e616552a1cf8157090601fd9c1fc4671cbd02aacb1d143f6f8a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
Size

3.2MB
MD5

dfa8bbf37abf4083222fb6e45c38641a
SHA1

7ccb718921de31e649029043e1ad074651c4619f
SHA256

789807b0ca834e616552a1cf8157090601fd9c1fc4671cbd02aacb1d143f6f8a
SHA512

66b0ee402479b4ac419d4ce836bfd358f012946b953fc33f20b6ef3ee647a3f74b5583bacd02b6e3223757a574ae04ff6dea1bafb49d142bbf729088ec45d0c2
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nv:DBIKRAGRe5K2UZL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	f768630.exe

Loads dropped DLL 9 IoCs

pid	Process
1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2932	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f768630.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
2932	f768630.exe
2932	f768630.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2932	1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe	30
PID 1984 wrote to memory of 2932	1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe	30
PID 1984 wrote to memory of 2932	1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe	30
PID 1984 wrote to memory of 2932	1984	2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe	30
PID 2932 wrote to memory of 2620	2932	f768630.exe	32
PID 2932 wrote to memory of 2620	2932	f768630.exe	32
PID 2932 wrote to memory of 2620	2932	f768630.exe	32
PID 2932 wrote to memory of 2620	2932	f768630.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_dfa8bbf37abf4083222fb6e45c38641a_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f768630.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f768630.exe 259425840
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 1460
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f768630.exe

Filesize
3.2MB

MD5
561c4df7310fcf95a49a257a66eea0b2

SHA1
39add141b154851f9366440bd5c439520f92fdbf

SHA256
adb554f958863ab86422e1901c9aaadb0b972c5dd8864f4262643bd6737dc93a

SHA512
a35f19dedf4170f1b6f7cfc31ee6aa8e39420b620d0a5ba5ff31b8e9ca83831be71083696c3defe5fe25449edbbc5d7b10f70c3f17f85a2a608b50ecbff14344

Download Submit
memory/1984-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1984-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/1984-11-0x0000000002C00000-0x0000000002FA5000-memory.dmp

Filesize
3.6MB

Download
memory/1984-13-0x0000000002C00000-0x0000000002FA5000-memory.dmp

Filesize
3.6MB

Download
memory/1984-15-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2932-14-0x00000000778CD000-0x00000000778CE000-memory.dmp

Filesize
4KB

Download
memory/2932-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2932-42-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2932-43-0x00000000778CD000-0x00000000778CE000-memory.dmp

Filesize
4KB

Download
memory/2932-44-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download