Analysis
-
max time kernel
155s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-02-2023 01:31
Static task
static1
Behavioral task
behavioral1
Sample
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
Resource
win10v2004-20221111-en
General
-
Target
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
-
Size
1.1MB
-
MD5
a4713efd7588cce07c4d82dda4efbfd3
-
SHA1
03c07219ef2846557937a1fcb6fdfa936c1610a0
-
SHA256
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2
-
SHA512
be6e8e17bcb3a3d3f5502c187f5488c8556760dbdabf0cfc9d1fd05bfa2b9328136ddc57c3867ae47530ac897d7e9dad9dea57615da27868cf657e0a5b64b530
-
SSDEEP
12288:VMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9lg5e6FqtNf:VnsJ39LyjbJkQFMhmC+6GD9+QX3
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2140-142-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet behavioral2/memory/1848-148-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.execomputer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation computer.exe -
Executes dropped EXE 4 IoCs
Processes:
._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exeSynaptics.execomputer.exe._cache_computer.exepid process 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe 2580 Synaptics.exe 4032 computer.exe 1848 ._cache_computer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe._cache_computer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uqimxqo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe" ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Imsossm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_computer.exe" ._cache_computer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
._cache_computer.exedescription ioc process File opened (read-only) \??\O: ._cache_computer.exe File opened (read-only) \??\U: ._cache_computer.exe File opened (read-only) \??\Y: ._cache_computer.exe File opened (read-only) \??\E: ._cache_computer.exe File opened (read-only) \??\F: ._cache_computer.exe File opened (read-only) \??\I: ._cache_computer.exe File opened (read-only) \??\L: ._cache_computer.exe File opened (read-only) \??\N: ._cache_computer.exe File opened (read-only) \??\P: ._cache_computer.exe File opened (read-only) \??\Q: ._cache_computer.exe File opened (read-only) \??\R: ._cache_computer.exe File opened (read-only) \??\B: ._cache_computer.exe File opened (read-only) \??\J: ._cache_computer.exe File opened (read-only) \??\K: ._cache_computer.exe File opened (read-only) \??\M: ._cache_computer.exe File opened (read-only) \??\W: ._cache_computer.exe File opened (read-only) \??\X: ._cache_computer.exe File opened (read-only) \??\Z: ._cache_computer.exe File opened (read-only) \??\V: ._cache_computer.exe File opened (read-only) \??\G: ._cache_computer.exe File opened (read-only) \??\H: ._cache_computer.exe File opened (read-only) \??\S: ._cache_computer.exe File opened (read-only) \??\T: ._cache_computer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
._cache_computer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ._cache_computer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ._cache_computer.exe -
Modifies registry class 2 IoCs
Processes:
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.execomputer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ computer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
._cache_computer.exepid process 1848 ._cache_computer.exe 1848 ._cache_computer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.execomputer.exedescription pid process target process PID 4848 wrote to memory of 2140 4848 d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe PID 4848 wrote to memory of 2140 4848 d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe PID 4848 wrote to memory of 2140 4848 d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe PID 2140 wrote to memory of 3284 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe cmd.exe PID 2140 wrote to memory of 3284 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe cmd.exe PID 2140 wrote to memory of 3284 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe cmd.exe PID 4848 wrote to memory of 2580 4848 d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Synaptics.exe PID 4848 wrote to memory of 2580 4848 d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Synaptics.exe PID 4848 wrote to memory of 2580 4848 d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe Synaptics.exe PID 2140 wrote to memory of 4032 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe computer.exe PID 2140 wrote to memory of 4032 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe computer.exe PID 2140 wrote to memory of 4032 2140 ._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe computer.exe PID 4032 wrote to memory of 1848 4032 computer.exe ._cache_computer.exe PID 4032 wrote to memory of 1848 4032 computer.exe ._cache_computer.exe PID 4032 wrote to memory of 1848 4032 computer.exe ._cache_computer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe"C:\Users\Admin\AppData\Local\Temp\d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe"C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss643⤵
-
C:\windowss64\computer.exe"C:\windowss64\computer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
754KB
MD59053a0cbd2ae2350d9fa43468d6e96dd
SHA15c905ea1c7a6a52c3385dd68e11c45cfcc73cd63
SHA256cc8f6c5a99dd8b667c8a32ff4f5aa2d3aee292b3a531493d74a65e3cbc12bf69
SHA5123b1f01950bcd0e8973e47dee703f8e43046083c63abe9363ddbe973bb3f37a17829efae9a4ded360c1c40f65bcedaa9de14a4e3f1e487f8596ee8f53c54445c6
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
754KB
MD59053a0cbd2ae2350d9fa43468d6e96dd
SHA15c905ea1c7a6a52c3385dd68e11c45cfcc73cd63
SHA256cc8f6c5a99dd8b667c8a32ff4f5aa2d3aee292b3a531493d74a65e3cbc12bf69
SHA5123b1f01950bcd0e8973e47dee703f8e43046083c63abe9363ddbe973bb3f37a17829efae9a4ded360c1c40f65bcedaa9de14a4e3f1e487f8596ee8f53c54445c6
-
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exeFilesize
400KB
MD520beeb0a82adcce3a58372804acc46be
SHA1c579d9017d2c8298fe075ff5c05963901330e72a
SHA256d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e
SHA5127636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd
-
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exeFilesize
400KB
MD520beeb0a82adcce3a58372804acc46be
SHA1c579d9017d2c8298fe075ff5c05963901330e72a
SHA256d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e
SHA5127636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd
-
C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exeFilesize
362KB
MD59552f895a4a0eb501fbac7763b26088f
SHA17f1361ea4bf392f84abe37f1c5e8845d1bf98c05
SHA256845c91674475e84eab72a22e2c915083192fb3e00463d10ba231d720d0f15172
SHA512f59cae315903bda0e2a9f116ccac494c63522436f8f9ea1268248f7c178b8ede4bf4f9a4db44835bad53fd3fb037f6e96a9ca486e5b71742072d403c0cb3146e
-
C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exeFilesize
362KB
MD59552f895a4a0eb501fbac7763b26088f
SHA17f1361ea4bf392f84abe37f1c5e8845d1bf98c05
SHA256845c91674475e84eab72a22e2c915083192fb3e00463d10ba231d720d0f15172
SHA512f59cae315903bda0e2a9f116ccac494c63522436f8f9ea1268248f7c178b8ede4bf4f9a4db44835bad53fd3fb037f6e96a9ca486e5b71742072d403c0cb3146e
-
C:\windowss64\computer.exeFilesize
1.1MB
MD5be689578752179e22bf915dbcf4f7520
SHA1e798e703bfb90707a2872b51da73f32af566aedb
SHA256de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
SHA51289c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8
-
C:\windowss64\computer.exeFilesize
1.1MB
MD5be689578752179e22bf915dbcf4f7520
SHA1e798e703bfb90707a2872b51da73f32af566aedb
SHA256de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
SHA51289c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8
-
memory/1848-148-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/1848-145-0x0000000000000000-mapping.dmp
-
memory/2140-142-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/2140-132-0x0000000000000000-mapping.dmp
-
memory/2580-136-0x0000000000000000-mapping.dmp
-
memory/3284-135-0x0000000000000000-mapping.dmp
-
memory/4032-139-0x0000000000000000-mapping.dmp