chinese_generic_botnet | a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a

Analysis

max time kernel
160s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
19-03-2022 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe
Size

644KB
MD5

cc8a1ee29a948344ae660b627b865004
SHA1

f60ec55c5dd3c7b2dd2449766b7d6591be0c0207
SHA256

a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a
SHA512

72fdaa012cd85cb9b0891473d75b967d952a03a6e14998e5c5b2f9cc78b1a0256cccfd05d9fce4e0c895ec1cee18b8794c2c11e0416bf0d00652314545fd6785

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/4840-134-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cgwkska.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe"	a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4840	a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe
4840	a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4840	a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe

C:\Users\Admin\AppData\Local\Temp\a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe
"C:\Users\Admin\AppData\Local\Temp\a5f5969c379de8e9b31c8619b3cf390f538c44e4f538b735fd212c4b1d9d741a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4840-134-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download