Overview

overview

10

Static

static

1

d7c3bb09aa...b2.exe

windows7-x64

10

d7c3bb09aa...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2023 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe

  • Size

    1.1MB

  • MD5

    a4713efd7588cce07c4d82dda4efbfd3

  • SHA1

    03c07219ef2846557937a1fcb6fdfa936c1610a0

  • SHA256

    d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2

  • SHA512

    be6e8e17bcb3a3d3f5502c187f5488c8556760dbdabf0cfc9d1fd05bfa2b9328136ddc57c3867ae47530ac897d7e9dad9dea57615da27868cf657e0a5b64b530

  • SSDEEP

    12288:VMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9lg5e6FqtNf:VnsJ39LyjbJkQFMhmC+6GD9+QX3

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 2 IoCs
    botnet
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
    "C:\Users\Admin\AppData\Local\Temp\d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c md C:\windowss64
        3⤵
          PID:3284
        • C:\windowss64\computer.exe
          "C:\windowss64\computer.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4032
          • C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1848
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        PID:2580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      754KB

      MD5

      9053a0cbd2ae2350d9fa43468d6e96dd

      SHA1

      5c905ea1c7a6a52c3385dd68e11c45cfcc73cd63

      SHA256

      cc8f6c5a99dd8b667c8a32ff4f5aa2d3aee292b3a531493d74a65e3cbc12bf69

      SHA512

      3b1f01950bcd0e8973e47dee703f8e43046083c63abe9363ddbe973bb3f37a17829efae9a4ded360c1c40f65bcedaa9de14a4e3f1e487f8596ee8f53c54445c6

      Download Submit

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      754KB

      MD5

      9053a0cbd2ae2350d9fa43468d6e96dd

      SHA1

      5c905ea1c7a6a52c3385dd68e11c45cfcc73cd63

      SHA256

      cc8f6c5a99dd8b667c8a32ff4f5aa2d3aee292b3a531493d74a65e3cbc12bf69

      SHA512

      3b1f01950bcd0e8973e47dee703f8e43046083c63abe9363ddbe973bb3f37a17829efae9a4ded360c1c40f65bcedaa9de14a4e3f1e487f8596ee8f53c54445c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
      Filesize

      400KB

      MD5

      20beeb0a82adcce3a58372804acc46be

      SHA1

      c579d9017d2c8298fe075ff5c05963901330e72a

      SHA256

      d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

      SHA512

      7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
      Filesize

      400KB

      MD5

      20beeb0a82adcce3a58372804acc46be

      SHA1

      c579d9017d2c8298fe075ff5c05963901330e72a

      SHA256

      d1aaa7e7d31bf648c57f0c721d6f6ee2b17395b4e09d9d89a4f6dbd5dd706a8e

      SHA512

      7636912ba6323063cefb7fac5a6cff9e44a474e452a4d5d4f77ef88968266de184c68112e3667585e02e811781f51ee020e61ce820e3f9a38dcfdf30e6d522bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
      Filesize

      362KB

      MD5

      9552f895a4a0eb501fbac7763b26088f

      SHA1

      7f1361ea4bf392f84abe37f1c5e8845d1bf98c05

      SHA256

      845c91674475e84eab72a22e2c915083192fb3e00463d10ba231d720d0f15172

      SHA512

      f59cae315903bda0e2a9f116ccac494c63522436f8f9ea1268248f7c178b8ede4bf4f9a4db44835bad53fd3fb037f6e96a9ca486e5b71742072d403c0cb3146e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2.exe
      Filesize

      362KB

      MD5

      9552f895a4a0eb501fbac7763b26088f

      SHA1

      7f1361ea4bf392f84abe37f1c5e8845d1bf98c05

      SHA256

      845c91674475e84eab72a22e2c915083192fb3e00463d10ba231d720d0f15172

      SHA512

      f59cae315903bda0e2a9f116ccac494c63522436f8f9ea1268248f7c178b8ede4bf4f9a4db44835bad53fd3fb037f6e96a9ca486e5b71742072d403c0cb3146e

      Download Submit

    • C:\windowss64\computer.exe
      Filesize

      1.1MB

      MD5

      be689578752179e22bf915dbcf4f7520

      SHA1

      e798e703bfb90707a2872b51da73f32af566aedb

      SHA256

      de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

      SHA512

      89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

      Download Submit

    • C:\windowss64\computer.exe
      Filesize

      1.1MB

      MD5

      be689578752179e22bf915dbcf4f7520

      SHA1

      e798e703bfb90707a2872b51da73f32af566aedb

      SHA256

      de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e

      SHA512

      89c95b387e566dfaf3f6a4ab60ee6e24d2574dd3802458e4d8f15e4c44136ac54c5b3a53addc1d28748656320050ee735fa2e8e5c57cdfb53fbdddc6eb586da8

      Download Submit

    • memory/1848-148-0x0000000010000000-0x0000000010018000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2140-142-0x0000000010000000-0x0000000010018000-memory.dmp

      Filesize

      96KB

      Download