chinese_generic_botnet | 6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/01/2023, 21:24

Target

6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2.exe
Size

664KB
MD5

6ee2603f88b3ab82e4089bf12f633a00
SHA1

0c076e2c795c1c875384c3e9c5ade382648b2a6a
SHA256

6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2
SHA512

d3998094531579e0941945ef0801fa855191c15b3711286ab772b078d9c94e037c22bfddb52ac148fc30def4938c15b4b9c5a2653f6eaee6e01039b15d100e38
SSDEEP

3072:upH0jrEzxbJpF+ax8oSZylh76xFwZvMZYgUamncbwTrnwTTatvywC6/sUVdQKgZW:+zFJKYjh+xFwLbwTTatd/sUVdQUIa

Score

10^/10

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/1472-56-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
928	Kqakiwq.exe
564	Kqakiwq.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Nrxwyt\Kqakiwq.exe	6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Nrxwyt\Kqakiwq.exe	6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1472	6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1472	6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2.exe
928	Kqakiwq.exe
564	Kqakiwq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 564	928	Kqakiwq.exe	29
PID 928 wrote to memory of 564	928	Kqakiwq.exe	29
PID 928 wrote to memory of 564	928	Kqakiwq.exe	29
PID 928 wrote to memory of 564	928	Kqakiwq.exe	29

C:\Program Files (x86)\Microsoft Nrxwyt\Kqakiwq.exe

Filesize
664KB

MD5
6ee2603f88b3ab82e4089bf12f633a00

SHA1
0c076e2c795c1c875384c3e9c5ade382648b2a6a

SHA256
6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2

SHA512
d3998094531579e0941945ef0801fa855191c15b3711286ab772b078d9c94e037c22bfddb52ac148fc30def4938c15b4b9c5a2653f6eaee6e01039b15d100e38

Download Submit
C:\Program Files (x86)\Microsoft Nrxwyt\Kqakiwq.exe

Filesize
664KB

MD5
6ee2603f88b3ab82e4089bf12f633a00

SHA1
0c076e2c795c1c875384c3e9c5ade382648b2a6a

SHA256
6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2

SHA512
d3998094531579e0941945ef0801fa855191c15b3711286ab772b078d9c94e037c22bfddb52ac148fc30def4938c15b4b9c5a2653f6eaee6e01039b15d100e38

Download Submit
C:\Program Files (x86)\Microsoft Nrxwyt\Kqakiwq.exe

Filesize
664KB

MD5
6ee2603f88b3ab82e4089bf12f633a00

SHA1
0c076e2c795c1c875384c3e9c5ade382648b2a6a

SHA256
6499dfc9cd9d9da4bd0ee1f23f4b4014f7d525924da56c93b8e75562c12f6cb2

SHA512
d3998094531579e0941945ef0801fa855191c15b3711286ab772b078d9c94e037c22bfddb52ac148fc30def4938c15b4b9c5a2653f6eaee6e01039b15d100e38

Download Submit
memory/1472-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1472-55-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1472-56-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download