chinese_generic_botnet | 54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421

General

Target

54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe
Size

2.0MB
MD5

1e2cfbde6afd4b54fabbc9c70735123f
SHA1

ad19d94a6ecfe8ab38fb2f83e9129e6cfccab7cf
SHA256

54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421
SHA512

4415a3fd01c46c17628c7943902296da5387fdbf530060889806ce3b3ef5717a2724767fd6ee9855204455955bdc2b477581838588fd6311789aff52f997e077
SSDEEP

49152:Uxae01xkh8Y0E5M5Lwex5oSbWmg/f8M8WKL/0qk/H979/:5Y0GevWmoUPT0qQH979

Score

10^/10

chinese_generic_botnet botnet upx

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 4 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/1660-55-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet
behavioral1/memory/1660-61-0x0000000000400000-0x00000000007A0000-memory.dmp	unk_chinese_botnet
behavioral1/memory/1932-71-0x0000000000400000-0x00000000007A0000-memory.dmp	unk_chinese_botnet
behavioral1/memory/852-76-0x0000000000400000-0x00000000007A0000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

Processes:

Terms.exeTerms.exe

pid process

1932 Terms.exe
852 Terms.exe

pid	process
1932	Terms.exe
852	Terms.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\Terms.exe	upx
behavioral1/memory/1660-61-0x0000000000400000-0x00000000007A0000-memory.dmp	upx
behavioral1/memory/1932-62-0x0000000000400000-0x00000000007A0000-memory.dmp	upx
C:\Program Files (x86)\Terms.exe	upx
C:\Program Files (x86)\Terms.exe	upx
behavioral1/memory/1932-71-0x0000000000400000-0x00000000007A0000-memory.dmp	upx
behavioral1/memory/852-76-0x0000000000400000-0x00000000007A0000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe

description	ioc	process
File created	C:\Program Files (x86)\Terms.exe	54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe

pid process

1660 54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exeTerms.exeTerms.exe

pid process

1660 54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe
1932 Terms.exe
852 Terms.exe

pid	process
1660	54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe

pid	process
1660	54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe
1932	Terms.exe
852	Terms.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Terms.exe

description	pid	process	target process
PID 1932 wrote to memory of 852	1932	Terms.exe	Terms.exe
PID 1932 wrote to memory of 852	1932	Terms.exe	Terms.exe
PID 1932 wrote to memory of 852	1932	Terms.exe	Terms.exe
PID 1932 wrote to memory of 852	1932	Terms.exe	Terms.exe

C:\Users\Admin\AppData\Local\Temp\54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe
"C:\Users\Admin\AppData\Local\Temp\54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe" Win7
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe
Filesize
2.0MB

MD5
1e2cfbde6afd4b54fabbc9c70735123f

SHA1
ad19d94a6ecfe8ab38fb2f83e9129e6cfccab7cf

SHA256
54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421

SHA512
4415a3fd01c46c17628c7943902296da5387fdbf530060889806ce3b3ef5717a2724767fd6ee9855204455955bdc2b477581838588fd6311789aff52f997e077

Download Submit
C:\Program Files (x86)\Terms.exe
Filesize
2.0MB

MD5
1e2cfbde6afd4b54fabbc9c70735123f

SHA1
ad19d94a6ecfe8ab38fb2f83e9129e6cfccab7cf

SHA256
54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421

SHA512
4415a3fd01c46c17628c7943902296da5387fdbf530060889806ce3b3ef5717a2724767fd6ee9855204455955bdc2b477581838588fd6311789aff52f997e077

Download Submit
C:\Program Files (x86)\Terms.exe
Filesize
2.0MB

MD5
1e2cfbde6afd4b54fabbc9c70735123f

SHA1
ad19d94a6ecfe8ab38fb2f83e9129e6cfccab7cf

SHA256
54cf35c8c1b0949422348d097c4544186753549583395108fe620c57b8033421

SHA512
4415a3fd01c46c17628c7943902296da5387fdbf530060889806ce3b3ef5717a2724767fd6ee9855204455955bdc2b477581838588fd6311789aff52f997e077

Download Submit
memory/852-68-0x0000000000000000-mapping.dmp

Download
memory/852-76-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1660-55-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1660-61-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/1932-62-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/1932-71-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads