Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
29388b7c78930fc22a4ae51e7ff294f6
-
SHA1
840c40e4f3f3379c1368c7aabd4efe2b377b2448
-
SHA256
b3244bfb4fb2a9763b84ef400d9e29a09ef4748cc718912c84867417c7df697c
-
SHA512
5c14983053dbcd2df6337f31e54083ba4518c29f79354119064c108939d7bd491f34741329a10891a060e51915c01fa779a473435475442a988861051809f6da
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1NN:DBIKRAGRe5K2UZR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3572 e57c3ae.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3904 3572 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c3ae.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3308 2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe 3308 2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe 3572 e57c3ae.exe 3572 e57c3ae.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3308 wrote to memory of 3572 3308 2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe 84 PID 3308 wrote to memory of 3572 3308 2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe 84 PID 3308 wrote to memory of 3572 3308 2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-09_29388b7c78930fc22a4ae51e7ff294f6_hacktools_xiaoba.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57c3ae.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e57c3ae.exe 2406327652⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 20723⤵
- Program crash
PID:3904
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3572 -ip 35721⤵PID:1488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a00608e7a27d66fa72a837cee325d16f
SHA1334015422aa4bddc02150a11591ae5bc162015e1
SHA25621d464029ea859fa97d4c43c2f7e01ad8a4625b037afb36d1884be1b22e15bd0
SHA512fb8a64e411aecefc0e120760d871380bc728d9cd3deadc01e574858d53c02a97df00cafea6f1d015264cf0152f95089573902503b71c2f58dcd751a9ae0ad946