chinese_generic_botnet | be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08-04-2023 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe
Size

3.3MB
MD5

a3b10f3a5f223f5098ec991f21ab85aa
SHA1

04765416947784368adaf3bea627bcd3c817f0f8
SHA256

be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab
SHA512

77d3183c13b0f70f963d9fe271c2f5889710d09a7acdf95650d8ac20b21009a0078803922803c73fcb237d5c6f070f7a016e6b13e8635d98a3f3df83c1292979
SSDEEP

98304:Wbjsyw3BKLujJ5iV0hH1bRWydCOHoFN6WtljaEy9/FLOAkGkzdnEVomFHKnP:We3YY1bRWybHmN6WtljaEylFLOyomFHo

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/3668-119-0x0000000003290000-0x00000000032B6000-memory.dmp	unk_chinese_botnet
behavioral1/memory/3668-120-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Windowsfig.exeWinconfig.exeWINKK.exe

pid process

1636 Windowsfig.exe
4396 Winconfig.exe
312 WINKK.exe
Loads dropped DLL 1 IoCs

Processes:

Winconfig.exe

pid process

4396 Winconfig.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3016 4396 WerFault.exe Winconfig.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Windowsfig.exe

pid process

1636 Windowsfig.exe
1636 Windowsfig.exe

pid	process
1636	Windowsfig.exe
4396	Winconfig.exe
312	WINKK.exe

pid	process
4396	Winconfig.exe

pid	pid_target	process	target process
3016	4396	WerFault.exe	Winconfig.exe

pid	process
1636	Windowsfig.exe
1636	Windowsfig.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Windowsfig.exe

description	pid	process
Token: SeDebugPrivilege	1636	Windowsfig.exe
Token: SeIncreaseQuotaPrivilege	1636	Windowsfig.exe
Token: SeSecurityPrivilege	1636	Windowsfig.exe
Token: SeTakeOwnershipPrivilege	1636	Windowsfig.exe
Token: SeLoadDriverPrivilege	1636	Windowsfig.exe
Token: SeSystemProfilePrivilege	1636	Windowsfig.exe
Token: SeSystemtimePrivilege	1636	Windowsfig.exe
Token: SeProfSingleProcessPrivilege	1636	Windowsfig.exe
Token: SeIncBasePriorityPrivilege	1636	Windowsfig.exe
Token: SeCreatePagefilePrivilege	1636	Windowsfig.exe
Token: SeBackupPrivilege	1636	Windowsfig.exe
Token: SeRestorePrivilege	1636	Windowsfig.exe
Token: SeShutdownPrivilege	1636	Windowsfig.exe
Token: SeDebugPrivilege	1636	Windowsfig.exe
Token: SeSystemEnvironmentPrivilege	1636	Windowsfig.exe
Token: SeRemoteShutdownPrivilege	1636	Windowsfig.exe
Token: SeUndockPrivilege	1636	Windowsfig.exe
Token: SeManageVolumePrivilege	1636	Windowsfig.exe
Token: 33	1636	Windowsfig.exe
Token: 34	1636	Windowsfig.exe
Token: 35	1636	Windowsfig.exe
Token: 36	1636	Windowsfig.exe
Token: SeIncreaseQuotaPrivilege	1636	Windowsfig.exe
Token: SeSecurityPrivilege	1636	Windowsfig.exe
Token: SeTakeOwnershipPrivilege	1636	Windowsfig.exe
Token: SeLoadDriverPrivilege	1636	Windowsfig.exe
Token: SeSystemProfilePrivilege	1636	Windowsfig.exe
Token: SeSystemtimePrivilege	1636	Windowsfig.exe
Token: SeProfSingleProcessPrivilege	1636	Windowsfig.exe
Token: SeIncBasePriorityPrivilege	1636	Windowsfig.exe
Token: SeCreatePagefilePrivilege	1636	Windowsfig.exe
Token: SeBackupPrivilege	1636	Windowsfig.exe
Token: SeRestorePrivilege	1636	Windowsfig.exe
Token: SeShutdownPrivilege	1636	Windowsfig.exe
Token: SeDebugPrivilege	1636	Windowsfig.exe
Token: SeSystemEnvironmentPrivilege	1636	Windowsfig.exe
Token: SeRemoteShutdownPrivilege	1636	Windowsfig.exe
Token: SeUndockPrivilege	1636	Windowsfig.exe
Token: SeManageVolumePrivilege	1636	Windowsfig.exe
Token: 33	1636	Windowsfig.exe
Token: 34	1636	Windowsfig.exe
Token: 35	1636	Windowsfig.exe
Token: 36	1636	Windowsfig.exe
Token: SeIncreaseQuotaPrivilege	1636	Windowsfig.exe
Token: SeSecurityPrivilege	1636	Windowsfig.exe
Token: SeTakeOwnershipPrivilege	1636	Windowsfig.exe
Token: SeLoadDriverPrivilege	1636	Windowsfig.exe
Token: SeSystemProfilePrivilege	1636	Windowsfig.exe
Token: SeSystemtimePrivilege	1636	Windowsfig.exe
Token: SeProfSingleProcessPrivilege	1636	Windowsfig.exe
Token: SeIncBasePriorityPrivilege	1636	Windowsfig.exe
Token: SeCreatePagefilePrivilege	1636	Windowsfig.exe
Token: SeBackupPrivilege	1636	Windowsfig.exe
Token: SeRestorePrivilege	1636	Windowsfig.exe
Token: SeShutdownPrivilege	1636	Windowsfig.exe
Token: SeDebugPrivilege	1636	Windowsfig.exe
Token: SeSystemEnvironmentPrivilege	1636	Windowsfig.exe
Token: SeRemoteShutdownPrivilege	1636	Windowsfig.exe
Token: SeUndockPrivilege	1636	Windowsfig.exe
Token: SeManageVolumePrivilege	1636	Windowsfig.exe
Token: 33	1636	Windowsfig.exe
Token: 34	1636	Windowsfig.exe
Token: 35	1636	Windowsfig.exe
Token: 36	1636	Windowsfig.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exeWINKK.exe

pid process

3668 be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe
312 WINKK.exe

pid	process
3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe
312	WINKK.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exeWinconfig.exe

description	pid	process	target process
PID 3668 wrote to memory of 1636	3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe	Windowsfig.exe
PID 3668 wrote to memory of 1636	3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe	Windowsfig.exe
PID 3668 wrote to memory of 1636	3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe	Windowsfig.exe
PID 3668 wrote to memory of 4484	3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe	cmd.exe
PID 3668 wrote to memory of 4484	3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe	cmd.exe
PID 3668 wrote to memory of 4484	3668	be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe	cmd.exe
PID 4396 wrote to memory of 312	4396	Winconfig.exe	WINKK.exe
PID 4396 wrote to memory of 312	4396	Winconfig.exe	WINKK.exe
PID 4396 wrote to memory of 312	4396	Winconfig.exe	WINKK.exe

C:\Users\Admin\AppData\Local\Temp\be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe
"C:\Users\Admin\AppData\Local\Temp\be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
2⤵
PID:4484

C:\ProgramData\Winconfig.exe
C:\ProgramData\Winconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4396

C:\ProgramData\WINKK.exe
"C:\ProgramData\WINKK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 632
2⤵
- Program crash
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UnityPlayer.dll
Filesize
44KB

MD5
a9b39030a593bd0c2a0061033890f5f6

SHA1
5aa04424d986ed57178e15247023915bf6560d7d

SHA256
77c001108f1f7b38da4598e61d5603756307ecd815c5a237b22f2e0fded70ca5

SHA512
1bd87b3525aaa8896489e27d4af8a8edb69682d6e2f5110a5a7ea073cb3273577e7d0835d97f19693c1d6e702f2890cb117441c07baf93ce6b600a192a98c289

Download Submit
C:\ProgramData\WINKK.exe
Filesize
3.3MB

MD5
a3b10f3a5f223f5098ec991f21ab85aa

SHA1
04765416947784368adaf3bea627bcd3c817f0f8

SHA256
be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab

SHA512
77d3183c13b0f70f963d9fe271c2f5889710d09a7acdf95650d8ac20b21009a0078803922803c73fcb237d5c6f070f7a016e6b13e8635d98a3f3df83c1292979

Download Submit
C:\ProgramData\WINKK.exe
Filesize
3.3MB

MD5
a3b10f3a5f223f5098ec991f21ab85aa

SHA1
04765416947784368adaf3bea627bcd3c817f0f8

SHA256
be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab

SHA512
77d3183c13b0f70f963d9fe271c2f5889710d09a7acdf95650d8ac20b21009a0078803922803c73fcb237d5c6f070f7a016e6b13e8635d98a3f3df83c1292979

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
624KB

MD5
a016b34be004c76919b9a0635ad05e2b

SHA1
b214b1cc968b9e9afda12b394b6115e0a54f1598

SHA256
675c978dac587a7e694c93a5d40d11493807d66998c6f2eb6944c1528c96534a

SHA512
e087668790d8843c8ea4ef61c6cc176e8abec94f0af5a4b4769e853bfa7baa06655c44718ff974c01b4addd93f57184926b00ddbacf1e35e2aa5afd0f46c2f73

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
108KB

MD5
40528a8ce542af784cb9958552f7798d

SHA1
58c5ba782f367a1d65bf712ada150fe0b5e14292

SHA256
46780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc

SHA512
dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
108KB

MD5
40528a8ce542af784cb9958552f7798d

SHA1
58c5ba782f367a1d65bf712ada150fe0b5e14292

SHA256
46780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc

SHA512
dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
108KB

MD5
40528a8ce542af784cb9958552f7798d

SHA1
58c5ba782f367a1d65bf712ada150fe0b5e14292

SHA256
46780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc

SHA512
dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwy0msxw.l0l.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\ProgramData\UnityPlayer.dll
Filesize
44KB

MD5
a9b39030a593bd0c2a0061033890f5f6

SHA1
5aa04424d986ed57178e15247023915bf6560d7d

SHA256
77c001108f1f7b38da4598e61d5603756307ecd815c5a237b22f2e0fded70ca5

SHA512
1bd87b3525aaa8896489e27d4af8a8edb69682d6e2f5110a5a7ea073cb3273577e7d0835d97f19693c1d6e702f2890cb117441c07baf93ce6b600a192a98c289

Download Submit
memory/1636-148-0x00000000078B0000-0x0000000007ED8000-memory.dmp

Filesize
6.2MB

Download
memory/1636-162-0x0000000009360000-0x00000000093AB000-memory.dmp

Filesize
300KB

Download
memory/1636-151-0x0000000007450000-0x0000000007486000-memory.dmp

Filesize
216KB

Download
memory/1636-152-0x0000000008560000-0x0000000008BD8000-memory.dmp

Filesize
6.5MB

Download
memory/1636-153-0x0000000007530000-0x00000000075C4000-memory.dmp

Filesize
592KB

Download
memory/1636-154-0x00000000074C0000-0x00000000074E2000-memory.dmp

Filesize
136KB

Download
memory/1636-155-0x0000000007640000-0x00000000076A6000-memory.dmp

Filesize
408KB

Download
memory/1636-156-0x0000000008BE0000-0x00000000090DE000-memory.dmp

Filesize
5.0MB

Download
memory/1636-157-0x0000000007600000-0x000000000761C000-memory.dmp

Filesize
112KB

Download
memory/1636-158-0x0000000007700000-0x000000000774A000-memory.dmp

Filesize
296KB

Download
memory/1636-159-0x00000000080F0000-0x0000000008440000-memory.dmp

Filesize
3.3MB

Download
memory/1636-160-0x00000000084F0000-0x0000000008556000-memory.dmp

Filesize
408KB

Download
memory/1636-161-0x0000000009210000-0x0000000009232000-memory.dmp

Filesize
136KB

Download
memory/1636-150-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/1636-163-0x00000000094C0000-0x0000000009536000-memory.dmp

Filesize
472KB

Download
memory/1636-149-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1636-172-0x000000000AF60000-0x000000000AF7E000-memory.dmp

Filesize
120KB

Download
memory/1636-173-0x00000000FECA0000-0x00000000FECB0000-memory.dmp

Filesize
64KB

Download
memory/1636-174-0x000000000AF90000-0x000000000B035000-memory.dmp

Filesize
660KB

Download
memory/1636-175-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1636-176-0x0000000004EC0000-0x0000000004EF3000-memory.dmp

Filesize
204KB

Download
memory/1636-145-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/1636-147-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1636-146-0x0000000002520000-0x000000000253E000-memory.dmp

Filesize
120KB

Download
memory/3668-119-0x0000000003290000-0x00000000032B6000-memory.dmp

Filesize
152KB

Download
memory/3668-120-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download