58b1fcaabba63fdcf3b01273c0306763578b2ee159ef3290bb3c9be373007fe7

Analysis

max time kernel
63s
max time network
33s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 09:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
Size

3.2MB
MD5

2940b8984b8071fe9fdbe1e93692e2d4
SHA1

235af03f662384c8be6c0dffe8214da917959291
SHA256

58b1fcaabba63fdcf3b01273c0306763578b2ee159ef3290bb3c9be373007fe7
SHA512

6145641905fc075545bf8a11780ba840e80b7c60d9aa20546aa1859054db691c791c017c10392636ada7286d3f8261d854492801e82dab3fd601d1385ef5768e
SSDEEP

49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N0:DBIKRAGRe5K2UZg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	f7780e3.exe

Loads dropped DLL 9 IoCs

pid	Process
528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2796	2248	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7780e3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
2248	f7780e3.exe
2248	f7780e3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 2248	528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe	30
PID 528 wrote to memory of 2248	528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe	30
PID 528 wrote to memory of 2248	528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe	30
PID 528 wrote to memory of 2248	528	2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe	30
PID 2248 wrote to memory of 2796	2248	f7780e3.exe	32
PID 2248 wrote to memory of 2796	2248	f7780e3.exe	32
PID 2248 wrote to memory of 2796	2248	f7780e3.exe	32
PID 2248 wrote to memory of 2796	2248	f7780e3.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_2940b8984b8071fe9fdbe1e93692e2d4_hacktools_xiaoba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7780e3.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7780e3.exe 259490019
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 596
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f7780e3.exe

Filesize
3.2MB

MD5
826d377e827e005291c0edf9817c4715

SHA1
26ccd84c204d5562db08d397ec5e7f4f13b11608

SHA256
252065eed93099b43bb05ee6926c8ad9069b93f56a0ac6a948a2e61316328915

SHA512
24ef14a719e5b7fb0b42330d79f0edc1d3bba8f79cd6a12171578c4d74c354173f152f747f8326af17d72b6724edb1b4d5a4cbdf88db2ea973de7d6b85ba6f7f

Download Submit
memory/528-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/528-1-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/528-9-0x0000000003030000-0x00000000033D5000-memory.dmp

Filesize
3.6MB

Download
memory/528-12-0x0000000003030000-0x00000000033D5000-memory.dmp

Filesize
3.6MB

Download
memory/528-33-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2248-13-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2248-14-0x0000000076ABD000-0x0000000076ABE000-memory.dmp

Filesize
4KB

Download
memory/2248-44-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/2248-45-0x0000000076ABD000-0x0000000076ABE000-memory.dmp

Filesize
4KB

Download
memory/2248-46-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download