Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    18-02-2023 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    872KB

  • MD5

    d156b1ffd7d387927ee88491a26ccae6

  • SHA1

    15764f67963a0e70f2b310510b95021d7e4aa27d

  • SHA256

    18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

  • SHA512

    0c213b94f86e49dfad8aed263ef11f5c24b9597591ae7f37b6451f513c1451f603c27676e547809976f636c86d2650fe12c988cdf2cea5ee6843612583ade283

  • SSDEEP

    24576:8gC7+maMAjAERQqMHwfVh7OrvgE+FarjUyHWuXki:UihMHwfVhagE3RWuXki

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 2 IoCs
    botnet
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1428
  • C:\Program Files (x86)\Msemswe.exe
    "C:\Program Files (x86)\Msemswe.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies data under HKEY_USERS
    PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Msemswe.exe
    Filesize

    872KB

    MD5

    d156b1ffd7d387927ee88491a26ccae6

    SHA1

    15764f67963a0e70f2b310510b95021d7e4aa27d

    SHA256

    18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

    SHA512

    0c213b94f86e49dfad8aed263ef11f5c24b9597591ae7f37b6451f513c1451f603c27676e547809976f636c86d2650fe12c988cdf2cea5ee6843612583ade283

    Download Submit
  • C:\Program Files (x86)\Msemswe.exe
    Filesize

    872KB

    MD5

    d156b1ffd7d387927ee88491a26ccae6

    SHA1

    15764f67963a0e70f2b310510b95021d7e4aa27d

    SHA256

    18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

    SHA512

    0c213b94f86e49dfad8aed263ef11f5c24b9597591ae7f37b6451f513c1451f603c27676e547809976f636c86d2650fe12c988cdf2cea5ee6843612583ade283

    Download Submit
  • memory/1004-4797-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1004-5727-0x0000000001E70000-0x0000000001F70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1004-5729-0x0000000001FB0000-0x0000000002131000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1004-8928-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1004-8927-0x0000000002260000-0x0000000002371000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1004-8926-0x0000000001E70000-0x0000000001F70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1428-523-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-470-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1428-465-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-464-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-463-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-518-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-469-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-474-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-475-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-473-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-517-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-471-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-479-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-480-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-478-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-477-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-476-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-482-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-484-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-483-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-481-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-485-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-489-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-488-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-487-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-486-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-491-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-490-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-525-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-519-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-468-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-522-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-521-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-520-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-524-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-466-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-472-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-516-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-515-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-514-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-513-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-512-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-511-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-510-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-509-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-508-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-507-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-506-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-505-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-504-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-503-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-502-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-501-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-500-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-499-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-498-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-497-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-496-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-495-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-494-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-493-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-492-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-467-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-56-0x00000000755F0000-0x0000000075637000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1428-54-0x0000000075F51000-0x0000000075F53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1428-1579-0x0000000001DE0000-0x0000000001EE0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1428-1581-0x0000000001F90000-0x0000000002111000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1428-4298-0x0000000002240000-0x0000000002351000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1428-4299-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1428-4300-0x0000000001DE0000-0x0000000001EE0000-memory.dmp
    Filesize

    1024KB

    Download