chinese_generic_botnet | 29b67786d8b98779be782b7212ab9feb95d6e41dbbdacbf00cb26cebc4011ae2

General

Target

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Size

362KB
MD5

99be0e637186d469b647525e9275ccfc
SHA1

83a797037fd4c10f1248387395cc039aa9f3c71b
SHA256

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
SHA512

1477f8db399c74174379ff881f6dcd9148bf57ff29839c466259d4c17235254e66cfd0410e5d0d79304a1a4f8352910d64a4f1446f7ed9cd5ceccd285ed265d5
SSDEEP

3072:N8jSZi34eTzl5KV2GenT0cTtm2LAQSXVqjzpYfJhrI:quZ5eg2GenQ67wk3pyJhrI

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/4844-136-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/1532-145-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5008	computer.exe
1532	._cache_computer.exe
3208	Synaptics.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	computer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_computer.exe"	._cache_computer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\Z:	._cache_computer.exe
File opened (read-only)	\??\F:	._cache_computer.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_computer.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\O:	._cache_computer.exe
File opened (read-only)	\??\U:	._cache_computer.exe
File opened (read-only)	\??\E:	._cache_computer.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\X:	._cache_computer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_computer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_computer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	computer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	._cache_computer.exe
1532	._cache_computer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4644	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	79
PID 4844 wrote to memory of 4644	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	79
PID 4844 wrote to memory of 4644	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	79
PID 4844 wrote to memory of 5008	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	83
PID 4844 wrote to memory of 5008	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	83
PID 4844 wrote to memory of 5008	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	83
PID 5008 wrote to memory of 1532	5008	computer.exe	84
PID 5008 wrote to memory of 1532	5008	computer.exe	84
PID 5008 wrote to memory of 1532	5008	computer.exe	84
PID 5008 wrote to memory of 3208	5008	computer.exe	85
PID 5008 wrote to memory of 3208	5008	computer.exe	85
PID 5008 wrote to memory of 3208	5008	computer.exe	85

C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
"C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:4644
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:3208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
memory/1532-145-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4844-136-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads