chinese_generic_botnet | 15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd

General

Target

15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
Size

3.7MB
MD5

7095a724461739b15822fd0dd49b327f
SHA1

3d98b504b552c0b86912aaaec3cb9658f8b9260e
SHA256

15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd
SHA512

1753efee3a36f8aeb6fec810433e7f07feef30774b9ba65d6c3487862f88f64fc006e12a166a306f1be1974fb1e50129587897d63b919e700c9dbf8abd1a2272

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 3 IoCs

botnet

resource	yara_rule
behavioral2/memory/5096-151-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet
behavioral2/memory/860-157-0x0000000000400000-0x000000000057C000-memory.dmp	unk_chinese_botnet
behavioral2/memory/5096-158-0x0000000000400000-0x000000000057C000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

pid	Process
3280	QMDesktopAnimation.exe
5096	lsass.exe
860	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
3280	QMDesktopAnimation.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360°²È«·þÎñ = "C:\\Users\\QMDesktopAnimation.exe"	QMDesktopAnimation.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 40 IoCs

pid	Process
5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
5096	lsass.exe
5096	lsass.exe
860	lsass.exe
860	lsass.exe
5096	lsass.exe
860	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe
5096	lsass.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
3280	QMDesktopAnimation.exe
5096	lsass.exe
860	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3280	5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	79
PID 5104 wrote to memory of 3280	5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	79
PID 5104 wrote to memory of 3280	5104	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	79
PID 3280 wrote to memory of 5096	3280	QMDesktopAnimation.exe	82
PID 3280 wrote to memory of 5096	3280	QMDesktopAnimation.exe	82
PID 3280 wrote to memory of 5096	3280	QMDesktopAnimation.exe	82
PID 3280 wrote to memory of 860	3280	QMDesktopAnimation.exe	84
PID 3280 wrote to memory of 860	3280	QMDesktopAnimation.exe	84
PID 3280 wrote to memory of 860	3280	QMDesktopAnimation.exe	84

C:\Users\Admin\AppData\Local\Temp\15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
"C:\Users\Admin\AppData\Local\Temp\15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\QMDesktopAnimation.exe
  C:\Users\QMDesktopAnimation.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:5096
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\ExceptCatch.dll

Filesize
2.2MB

MD5
be31e9cbf3aaa02fec9a6dc2fe49b8f1

SHA1
dd554ece008b8d5a9425fa7b5792033e42217484

SHA256
931bd3c45bca3a6766e67870457663ae386c04a4983b57cd10b83c1c5fddd19a

SHA512
9757bee88f27d9e5a860f3a69046e23bbfea39521c09bb59476fcf5e53eea530e04d717ebe1805a0af78c5d8e4cf0d988fe1e94c1e1c5543c89449debe070a0a

Download Submit
C:\Users\ExceptCatch.dll

Filesize
2.2MB

MD5
be31e9cbf3aaa02fec9a6dc2fe49b8f1

SHA1
dd554ece008b8d5a9425fa7b5792033e42217484

SHA256
931bd3c45bca3a6766e67870457663ae386c04a4983b57cd10b83c1c5fddd19a

SHA512
9757bee88f27d9e5a860f3a69046e23bbfea39521c09bb59476fcf5e53eea530e04d717ebe1805a0af78c5d8e4cf0d988fe1e94c1e1c5543c89449debe070a0a

Download Submit
C:\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
C:\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
C:\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
C:\Users\QMDesktopAnimation.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
C:\Users\QMDesktopAnimation.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
memory/860-157-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/860-150-0x0000000076A70000-0x0000000076AEA000-memory.dmp

Filesize
488KB

Download
memory/860-149-0x0000000075900000-0x0000000075AA0000-memory.dmp

Filesize
1.6MB

Download
memory/860-147-0x0000000076670000-0x0000000076885000-memory.dmp

Filesize
2.1MB

Download
memory/860-146-0x00000000774C0000-0x0000000077663000-memory.dmp

Filesize
1.6MB

Download
memory/5096-143-0x0000000076A70000-0x0000000076AEA000-memory.dmp

Filesize
488KB

Download
memory/5096-142-0x0000000075900000-0x0000000075AA0000-memory.dmp

Filesize
1.6MB

Download
memory/5096-139-0x0000000076670000-0x0000000076885000-memory.dmp

Filesize
2.1MB

Download
memory/5096-151-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/5096-138-0x00000000774C0000-0x0000000077663000-memory.dmp

Filesize
1.6MB

Download
memory/5096-158-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/5104-141-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing