Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
15-10-2022 01:51
General
-
Target
Server_se.exe
-
Size
880KB
-
MD5
53460de37325b4979177f832ae51f9de
-
SHA1
f32dd3e711e5fc24c3e525ab835c83588cbc1558
-
SHA256
bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1
-
SHA512
19a489017baaa2adb1c9cf75a502725a28193e4a0661b8f7956169084884e82e07d9b980091d1f8c307cb6f7ae7e7bb3fd3012db0a30dedbe30621f1f60f1595
-
SSDEEP
24576:7stUx5NK+HjoSIIJ2thqogNSNOKt5apf7xesN7:gtIS+dJgRkSNO0Qpow
Score
10/10
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server_se.exe"C:\Users\Admin\AppData\Local\Temp\Server_se.exe"1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss642⤵
-
C:\Program Files (x86)\Ecigfam.exe"C:\Program Files (x86)\Ecigfam.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss642⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ecigfam.exeFilesize
880KB
MD553460de37325b4979177f832ae51f9de
SHA1f32dd3e711e5fc24c3e525ab835c83588cbc1558
SHA256bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1
SHA51219a489017baaa2adb1c9cf75a502725a28193e4a0661b8f7956169084884e82e07d9b980091d1f8c307cb6f7ae7e7bb3fd3012db0a30dedbe30621f1f60f1595
-
C:\Program Files (x86)\Ecigfam.exeFilesize
880KB
MD553460de37325b4979177f832ae51f9de
SHA1f32dd3e711e5fc24c3e525ab835c83588cbc1558
SHA256bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1
SHA51219a489017baaa2adb1c9cf75a502725a28193e4a0661b8f7956169084884e82e07d9b980091d1f8c307cb6f7ae7e7bb3fd3012db0a30dedbe30621f1f60f1595
-
memory/280-9277-0x0000000000000000-mapping.dmp
-
memory/1032-4813-0x0000000000000000-mapping.dmp
-
memory/1576-54-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1576-56-0x0000000075800000-0x0000000075847000-memory.dmpFilesize
284KB
-
memory/1576-462-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-463-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-464-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-465-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-466-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-467-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-468-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-469-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB
-
memory/1576-471-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-470-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-472-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-473-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-474-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-475-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-476-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-477-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-478-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-479-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-480-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-481-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-482-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-483-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-484-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-485-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-486-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-487-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-488-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-489-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-495-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-494-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-496-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-493-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-497-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-492-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-490-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-491-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-498-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-499-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-500-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-501-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-504-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-507-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-508-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-510-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-511-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-509-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-512-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-506-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-513-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-505-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-502-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-514-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-503-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-517-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-518-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-519-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-520-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-521-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-515-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-516-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-522-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-523-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-524-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-1340-0x0000000001D60000-0x0000000001E60000-memory.dmpFilesize
1024KB
-
memory/1576-1342-0x0000000001FF0000-0x0000000002171000-memory.dmpFilesize
1.5MB
-
memory/1576-4814-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1576-4815-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB
-
memory/1576-4816-0x0000000001D60000-0x0000000001E60000-memory.dmpFilesize
1024KB
-
memory/1576-4820-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB
-
memory/1692-5342-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB
-
memory/1692-6218-0x0000000000790000-0x0000000000890000-memory.dmpFilesize
1024KB
-
memory/1692-6220-0x0000000001E70000-0x0000000001FF1000-memory.dmpFilesize
1.5MB
-
memory/1692-9276-0x0000000002180000-0x0000000002291000-memory.dmpFilesize
1.1MB
-
memory/1692-9278-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB
-
memory/1692-9279-0x0000000000790000-0x0000000000890000-memory.dmpFilesize
1024KB
-
memory/1692-9283-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB