f8f0dc0aa43c0461d254cbbb0a4a8d4d8e00234020502a0993cc636e9dcf3f8f

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xiaoma.exe
Size

1.8MB
MD5

9348f5c3958b63ccbea7445cfe346280
SHA1

6e0622bef345cc193f8eb2cb2d43900dfe6c91e1
SHA256

f8f0dc0aa43c0461d254cbbb0a4a8d4d8e00234020502a0993cc636e9dcf3f8f
SHA512

84ec3429a23459418697ab247daf07ac93e1bf0b76822ed7ed065f5de933545e537421dc74639f394b536cc4e148446cb0880e2367efa9bab64d1b35ab716921
SSDEEP

24576:Qq9fTCadIMwPw6iDvuIwpAiFXaIqXUOJLKT3xlUVcvsn9ueScRd/wxn17:n97C2GH0IqtgFlZsn9ueoxn17

Score

7^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2052	_J8201NOVDEC.exe
2000	Xiaoma.exe
2892	DvLayout.exe
2752	J8201NOVDEC.exe
2176	wrme.exe

Loads dropped DLL 9 IoCs

pid	Process
2988	xiaoma.exe
2988	xiaoma.exe
2988	xiaoma.exe
2000	Xiaoma.exe
2988	xiaoma.exe
2892	DvLayout.exe
2892	DvLayout.exe
2892	DvLayout.exe
2892	DvLayout.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
976	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	J8201NOVDEC.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_320C97D80B18D9AAD99710A56CE7FDB7	J8201NOVDEC.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0W9AM5O7.txt	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0W9AM5O7.txt	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_320C97D80B18D9AAD99710A56CE7FDB7	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	J8201NOVDEC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	J8201NOVDEC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiaoma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xiaoma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DvLayout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_J8201NOVDEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J8201NOVDEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2996	cmd.exe
2676	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016650-10.dat	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AA6D0BC-2585-4DEF-82AB-C14DD0E48705}\2a-26-f8-36-17-f7	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	J8201NOVDEC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-26-f8-36-17-f7	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AA6D0BC-2585-4DEF-82AB-C14DD0E48705}\WpadDecisionReason = "1"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	J8201NOVDEC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	J8201NOVDEC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0116000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AA6D0BC-2585-4DEF-82AB-C14DD0E48705}	J8201NOVDEC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-26-f8-36-17-f7\WpadDecisionTime = 2027ac83f73bdb01	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmic.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-26-f8-36-17-f7\WpadDecision = "0"	J8201NOVDEC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AA6D0BC-2585-4DEF-82AB-C14DD0E48705}\WpadDecisionTime = 2027ac83f73bdb01	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AA6D0BC-2585-4DEF-82AB-C14DD0E48705}\WpadDecision = "0"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	J8201NOVDEC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	J8201NOVDEC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	J8201NOVDEC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	J8201NOVDEC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-26-f8-36-17-f7\WpadDecisionReason = "1"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	J8201NOVDEC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	J8201NOVDEC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AA6D0BC-2585-4DEF-82AB-C14DD0E48705}\WpadNetworkName = "Network 3"	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	J8201NOVDEC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	J8201NOVDEC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2676	PING.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeCreatePagefilePrivilege	976	powercfg.exe
Token: SeIncBasePriorityPrivilege	2892	DvLayout.exe
Token: SeAssignPrimaryTokenPrivilege	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2052	2988	xiaoma.exe	30
PID 2988 wrote to memory of 2052	2988	xiaoma.exe	30
PID 2988 wrote to memory of 2052	2988	xiaoma.exe	30
PID 2988 wrote to memory of 2052	2988	xiaoma.exe	30
PID 2988 wrote to memory of 2000	2988	xiaoma.exe	31
PID 2988 wrote to memory of 2000	2988	xiaoma.exe	31
PID 2988 wrote to memory of 2000	2988	xiaoma.exe	31
PID 2988 wrote to memory of 2000	2988	xiaoma.exe	31
PID 2988 wrote to memory of 2892	2988	xiaoma.exe	32
PID 2988 wrote to memory of 2892	2988	xiaoma.exe	32
PID 2988 wrote to memory of 2892	2988	xiaoma.exe	32
PID 2988 wrote to memory of 2892	2988	xiaoma.exe	32
PID 2892 wrote to memory of 976	2892	DvLayout.exe	33
PID 2892 wrote to memory of 976	2892	DvLayout.exe	33
PID 2892 wrote to memory of 976	2892	DvLayout.exe	33
PID 2892 wrote to memory of 976	2892	DvLayout.exe	33
PID 2892 wrote to memory of 2176	2892	DvLayout.exe	37
PID 2892 wrote to memory of 2176	2892	DvLayout.exe	37
PID 2892 wrote to memory of 2176	2892	DvLayout.exe	37
PID 2892 wrote to memory of 2176	2892	DvLayout.exe	37
PID 2052 wrote to memory of 2996	2052	_J8201NOVDEC.exe	36
PID 2052 wrote to memory of 2996	2052	_J8201NOVDEC.exe	36
PID 2052 wrote to memory of 2996	2052	_J8201NOVDEC.exe	36
PID 2052 wrote to memory of 2996	2052	_J8201NOVDEC.exe	36
PID 2892 wrote to memory of 2768	2892	DvLayout.exe	39
PID 2892 wrote to memory of 2768	2892	DvLayout.exe	39
PID 2892 wrote to memory of 2768	2892	DvLayout.exe	39
PID 2892 wrote to memory of 2768	2892	DvLayout.exe	39
PID 2996 wrote to memory of 2676	2996	cmd.exe	41
PID 2996 wrote to memory of 2676	2996	cmd.exe	41
PID 2996 wrote to memory of 2676	2996	cmd.exe	41
PID 2996 wrote to memory of 2676	2996	cmd.exe	41
PID 2752 wrote to memory of 2080	2752	J8201NOVDEC.exe	43
PID 2752 wrote to memory of 2080	2752	J8201NOVDEC.exe	43
PID 2752 wrote to memory of 2080	2752	J8201NOVDEC.exe	43
PID 2752 wrote to memory of 2080	2752	J8201NOVDEC.exe	43

C:\Users\Admin\AppData\Local\Temp\xiaoma.exe
"C:\Users\Admin\AppData\Local\Temp\xiaoma.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\_J8201NOVDEC.exe
  C:\Users\Admin\AppData\Local\Temp\_J8201NOVDEC.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\_J8201NOVDEC.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 127.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2676
- C:\Users\Admin\AppData\Local\Temp\Xiaoma.exe
  C:\Users\Admin\AppData\Local\Temp\Xiaoma.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\DvLayout.exe
  "C:\Users\Admin\AppData\Roaming\..\Local\Microsoft\WindowsApps\DvLayout.exe" 200201 Helicarrier wccenter.exe wrme.exe wuhost.exe wdlogin.exe LSI_SAS2l iaLPSS1z "CSIDL_LOCAL_APPDATA&Microsoft\Event Viewer"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /h off
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\wrme.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\wrme.exe" -install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\DvLayout.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768

C:\Users\Admin\AppData\Local\Temp\J8201NOVDEC.exe
C:\Users\Admin\AppData\Local\Temp\J8201NOVDEC.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic BaseBoard get SerialNumber
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\wrme.exe

Filesize
718KB

MD5
84e38c4e6a3b05db499f140b28637a82

SHA1
8c694d99b6e47ea3940d79491a4d8a917985a459

SHA256
cded67dfa65185dd4f1f971616a348831a0b386bd7594b5494fba4b69ffc5e5c

SHA512
17137558c43eae99b5cf0a427055cdd545cbb0c9a49a1895081d93a305ce759f4e7ff68b6a33f803d22f54d55ee62c26d90c65cde72a2a640afad558076161db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\KMDF_LOOK.sys

Filesize
50KB

MD5
8f938fd933d241bbeba2c25e014d98c0

SHA1
f0a1a5b26b0e9b15a2b2ae3d0df8bf275fc72f2a

SHA256
2945014c5e47b14576542edfb534f2fa5b72b548d6c236f062972eae5e99db0e

SHA512
fc9ee77aa7cb2001b8a6ecf11941a80d0e48dd6e5e16ce4808bec3aabc94c3eead567a70e9bf3513dac87e14b7cc971c800920053d300ba6860f3de6f0d41668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\KMDF_Protect.sys

Filesize
34KB

MD5
87b33bf653499f0d9166cd7ff0029780

SHA1
19ee0bfcdcbafc1749f5a5cee0c8c625a8277102

SHA256
b5a37d47bfa486ce2e7210ed429e55cdfb894299d14537c85f7e695c48dc07f5

SHA512
92cffd87b7167c27505e037b1698b5bbb5732c4701155f0d1b89ba5cc74eea3491a9d64ee0f7858de56c20bce3ebac95872731a3f3c0d303e81b0839453e890f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_J8201NOVDEC.exe

Filesize
900KB

MD5
1474bd3eda2e087560754241a0b92991

SHA1
e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7

SHA256
c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc

SHA512
ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f

Download Submit
\Users\Admin\AppData\Local\Microsoft\WindowsApps\DvLayout.exe

Filesize
257KB

MD5
5aa33823c2a97b8c2a182e84f6520742

SHA1
20fb164f8d6c7c248b9e3ad61eb96b81f6be8f43

SHA256
551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5

SHA512
45500a651c226620aef1078235b5d0425301ed3118824bdcbb26add368a8c28ce5a7559d7e3310ff6e6f8a6feb86136b54dd2dce3a279bc3b483409c6a766b35

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBD68.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\xiaoma.exe

Filesize
1.8MB

MD5
9348f5c3958b63ccbea7445cfe346280

SHA1
6e0622bef345cc193f8eb2cb2d43900dfe6c91e1

SHA256
f8f0dc0aa43c0461d254cbbb0a4a8d4d8e00234020502a0993cc636e9dcf3f8f

SHA512
84ec3429a23459418697ab247daf07ac93e1bf0b76822ed7ed065f5de933545e537421dc74639f394b536cc4e148446cb0880e2367efa9bab64d1b35ab716921

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads