Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2023 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    3.3MB

  • MD5

    a3b10f3a5f223f5098ec991f21ab85aa

  • SHA1

    04765416947784368adaf3bea627bcd3c817f0f8

  • SHA256

    be817248c8fc124a548b2187aa95fca5b2a5de02cabbd18a2463d2cb5a1593ab

  • SHA512

    77d3183c13b0f70f963d9fe271c2f5889710d09a7acdf95650d8ac20b21009a0078803922803c73fcb237d5c6f070f7a016e6b13e8635d98a3f3df83c1292979

  • SSDEEP

    98304:Wbjsyw3BKLujJ5iV0hH1bRWydCOHoFN6WtljaEy9/FLOAkGkzdnEVomFHKnP:We3YY1bRWybHmN6WtljaEylFLOyomFHo

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 2 IoCs
    botnet
  • Downloads MZ/PE file
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
      2⤵
        PID:3648

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3548-133-0x0000000002D60000-0x0000000002D86000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3548-134-0x0000000010000000-0x0000000010027000-memory.dmp
      Filesize

      156KB

      Download