chinese_generic_botnet | 70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

Analysis

max time kernel
3s
max time network
144s
platform
windows7_x64
resource
win7-20220414-en
submitted
23/05/2022, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

d6df53506b123f5717463d0355336979
SHA1

7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14
SHA256

70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694
SHA512

1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2016-65-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
2016	._cache_tmp.exe
1172	Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
1460	tmp.exe
1460	tmp.exe
1460	tmp.exe
1460	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2016	1460	tmp.exe	27
PID 1460 wrote to memory of 2016	1460	tmp.exe	27
PID 1460 wrote to memory of 2016	1460	tmp.exe	27
PID 1460 wrote to memory of 2016	1460	tmp.exe	27
PID 1460 wrote to memory of 1172	1460	tmp.exe	28
PID 1460 wrote to memory of 1172	1460	tmp.exe	28
PID 1460 wrote to memory of 1172	1460	tmp.exe	28
PID 1460 wrote to memory of 1172	1460	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1588

C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe
"C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe"
1⤵
PID:300
- C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe
  "C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe" Win7
  2⤵
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
677KB

MD5
e531629cf6016f059452684fa12fbc50

SHA1
6d9e55e51c143d17c85d75e6dc5ab26d95018df4

SHA256
4381a244555d8e0366fdd6bba2905593f9b64899324275ed3cbdb832fc7cae04

SHA512
95b23edd7af1104e83b8657f741cd370666d4c20a39c41b4f0992aa19b437e7cdc56a6fe87ea7e45ece8528ce509385fb1b9fd9198314bb3ef9e7ef476cce572

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\P5u5eJ1Z.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
664KB

MD5
78b3e76c4ab9350cd357ee645bb51f2f

SHA1
3e9d81ec570ced5f24b0addb8b95b1ac494d9fb7

SHA256
952db7a195e70b60824745de8a4bdca920c69be9da3f1f99371ac4b798ee80b3

SHA512
8ca88d2668623ba8b876cfdad2d7c842aedcb62ec1ebf0b90924744c099c557d946cbb7743a91bf1304aa1276c685e3791997dadfc39d16e1206be8b51c02040

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
656KB

MD5
b1d3e2afe0af9b696d3d93ae08d898cf

SHA1
82b43639c5c3d0630cc6f6a6eed91deada7409f0

SHA256
e1dd9c47873ba04ec1f8f65271b8f4e2f16f82d107318f45f2da6f1264486213

SHA512
c1d45d6365916e1b2fffd8bbb843d17ce294a96dc8d6fc4a15a61a7ff4c087f5bd530b6aad275b57820b367a00e82a1c3de8de1074e102b2a54190af1b1ab7cd

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
memory/1460-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1588-82-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-77-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-84-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1588-81-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-80-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-79-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-78-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-86-0x000000007232D000-0x0000000072338000-memory.dmp

Filesize
44KB

Download
memory/1588-83-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-76-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-75-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-74-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-73-0x0000000000274000-0x000000000027A000-memory.dmp

Filesize
24KB

Download
memory/1588-69-0x0000000071341000-0x0000000071343000-memory.dmp

Filesize
8KB

Download
memory/1588-68-0x000000002F531000-0x000000002F534000-memory.dmp

Filesize
12KB

Download
memory/2016-65-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download