chinese_generic_botnet | 3d2ced1b815c6aa31457030af8e4255dfb1b06d6b583a747e15272530824a6fa | Triage

Analysis

max time kernel
130s
max time network
143s
platform
windows7_x64
resource
win7-en-20211208
submitted
10-02-2022 15:28

Sharing

Report Analysis Logs

General

Target

demoo.dll
Size

3.3MB
MD5

1af9024e05e21428386247905f59a7ab
SHA1

1802f64add91791808262bb60984424f95f28e2e
SHA256

3d2ced1b815c6aa31457030af8e4255dfb1b06d6b583a747e15272530824a6fa
SHA512

3171177b8aa8c7cc7354231f512879ef86c8c81c3784a38837852c1f80efa45a560ba2ddafb17fc5002bb8bfdb1b1ed3cb1de5cd933e5e167a0c7a1727c39cb4

Score

10^/10

chinese_generic_botnet botnet vmprotect

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1608-57-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet

Blocklisted process makes network request 8 IoCs

flow	pid	Process
3	1608	rundll32.exe
5	1608	rundll32.exe
6	1608	rundll32.exe
7	1608	rundll32.exe
8	1608	rundll32.exe
9	1608	rundll32.exe
10	1608	rundll32.exe
11	1608	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1608-55-0x0000000073C40000-0x000000007412E000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27
PID 1592 wrote to memory of 1608	1592	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\demoo.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\demoo.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x0000000073C40000-0x000000007412E000-memory.dmp

Filesize
4.9MB

Download
memory/1608-57-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download