Overview

overview

10

Static

static

fe0c0b0b67...b1.exe

windows7_x64

10

fe0c0b0b67...b1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/05/2022, 01:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fe0c0b0b671cccf510ee1075e6c73ad61f24ab8390ca608916861eb6385a6eb1.exe

  • Size

    4.2MB

  • MD5

    a97298f5d70fd3eb9c46bc5bb14b6cd6

  • SHA1

    7fd6fe0c946ca25386c0402efa6d43f545193b6a

  • SHA256

    fe0c0b0b671cccf510ee1075e6c73ad61f24ab8390ca608916861eb6385a6eb1

  • SHA512

    2c4ee94382590a7a5427dd7c462767e6d6c5c38f379e181a13b1e300c5869f171722519f37eed095efa80449b738e0892fe01be3c38b695380ac86b8d5b2b10f

Score
10/10
chinese_generic_botnetbotnetevasionpersistencetrojan

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet Payload 2 IoCs
    botnet
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe0c0b0b671cccf510ee1075e6c73ad61f24ab8390ca608916861eb6385a6eb1.exe
    "C:\Users\Admin\AppData\Local\Temp\fe0c0b0b671cccf510ee1075e6c73ad61f24ab8390ca608916861eb6385a6eb1.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Public\ϵͳ°²È«²¹¶¡.exe
      C:\Users\Public\ϵͳ°²È«²¹¶¡.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Users\lsass.exe
        C:\Users\lsass.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\ExceptCatch.dll
    Filesize

    2.7MB

    MD5

    aadc8962292c560caa2e9e3d39e32c4d

    SHA1

    a01f04297284783381f950e45efafe3358e8751d

    SHA256

    3d0ec418284fd1ef419fd8e57ce9adc84be51d1bff4910bb20aa319175a8f661

    SHA512

    47dec97ae8f57d82326440cb2106836ea8831fdd5d76e36476ef8d0007ab88da0ec757f91cee94d285f4d123376d380c92df6d1ffd0b7a997d9f592a82c7848f

    Download Submit

  • C:\Users\Public\ExceptCatch.dll
    Filesize

    2.7MB

    MD5

    aadc8962292c560caa2e9e3d39e32c4d

    SHA1

    a01f04297284783381f950e45efafe3358e8751d

    SHA256

    3d0ec418284fd1ef419fd8e57ce9adc84be51d1bff4910bb20aa319175a8f661

    SHA512

    47dec97ae8f57d82326440cb2106836ea8831fdd5d76e36476ef8d0007ab88da0ec757f91cee94d285f4d123376d380c92df6d1ffd0b7a997d9f592a82c7848f

    Download Submit

  • C:\Users\Public\ϵͳ°²È«²¹¶¡.exe
    Filesize

    69KB

    MD5

    3d924b86f8dc8215ea1dcda84c218ad7

    SHA1

    bff3baea1ea9f1eef642773382d6e8945fa5bf8c

    SHA256

    a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

    SHA512

    bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

    Download Submit

  • C:\Users\Public\ϵͳ°²È«²¹¶¡.exe
    Filesize

    69KB

    MD5

    3d924b86f8dc8215ea1dcda84c218ad7

    SHA1

    bff3baea1ea9f1eef642773382d6e8945fa5bf8c

    SHA256

    a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

    SHA512

    bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

    Download Submit

  • C:\Users\lsass.exe
    Filesize

    2.0MB

    MD5

    b03c0e3bf47d84324c4dcefac159878e

    SHA1

    6dde0d9602241a61ce4550124c376257049486f0

    SHA256

    7ab986781e1f88d46221748be9674a553b9f3f611e31859026a310ba0c1133ac

    SHA512

    cc5f7dfafc6b677a392f953e92ce8c1dd1140ee037099d2ffab6ed564e8241682a23d55b8a89c54b18fc06d402d6c5620dc0c3083483d3fcce516b28d0108c2b

    Download Submit

  • C:\Users\lsass.exe
    Filesize

    2.0MB

    MD5

    b03c0e3bf47d84324c4dcefac159878e

    SHA1

    6dde0d9602241a61ce4550124c376257049486f0

    SHA256

    7ab986781e1f88d46221748be9674a553b9f3f611e31859026a310ba0c1133ac

    SHA512

    cc5f7dfafc6b677a392f953e92ce8c1dd1140ee037099d2ffab6ed564e8241682a23d55b8a89c54b18fc06d402d6c5620dc0c3083483d3fcce516b28d0108c2b

    Download Submit

  • memory/1876-1479-0x0000000000400000-0x0000000000932000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-134-0x0000000076C60000-0x0000000076CDA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1876-1483-0x0000000000400000-0x0000000000932000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-1480-0x0000000000400000-0x0000000000932000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-130-0x0000000077D30000-0x0000000077ED3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1876-1478-0x0000000000400000-0x0000000000932000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-131-0x0000000076470000-0x0000000076685000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1876-1481-0x0000000000400000-0x0000000000932000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-1489-0x0000000000400000-0x0000000000932000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-133-0x0000000075EB0000-0x0000000076050000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1904-1493-0x0000000077D30000-0x0000000077ED3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1904-1494-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1904-1497-0x0000000000400000-0x000000000095E000-memory.dmp

    Filesize

    5.4MB

    Download