Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17-03-2022 04:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    4.4MB

  • MD5

    549a8bb3b1c7ba1212b0bcd5d52ac483

  • SHA1

    3be0de1d50a3a155e8c110538863c2858276745d

  • SHA256

    ac13d53f8bdc2b3792eb241b7b112c528292c47cd35ad317cf413cdace03251e

  • SHA512

    098818e5576682b21fb755d18d59585505815a257e3081dd3cabd1711c39f15f437bf69c376cfb1433118be86a7bc6931cde3226e3b6168bf91231588bb5ced7

Score
10/10
chinese_generic_botnetbotnetpersistencesuricata

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata
  • Chinese Botnet Payload 1 IoCs
    botnet
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\ProgramData\444.exe
      "C:\ProgramData\444.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\AppData\Local\Temp\is-79PMG.tmp\444.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-79PMG.tmp\444.tmp" /SL5="$301CA,849651,770048,C:\ProgramData\444.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:4244

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1564-137-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4244-136-0x0000000000800000-0x0000000000801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4548-131-0x0000000000400000-0x00000000004C9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/4548-135-0x0000000000400000-0x00000000004C9000-memory.dmp

    Filesize

    804KB

    Download