Analysis
-
max time kernel
84s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18-04-2023 18:16
General
-
Target
ZJ.exe
-
Size
2.3MB
-
MD5
1610c7cceefdeae7b7ac5367c73d040f
-
SHA1
f4387ef0b446a41909ab27437d1926cefd51c28a
-
SHA256
ff526968ee5a3aa4891f5e9bf0ac2790797762b5eaf34d47f5058f64c5908a13
-
SHA512
9e44567d492a080ba487f651fc808f4ea1ecab6e142bb47dca462175b88b2859d0ee4b9bc7399ffee880ada5897d31333e243b6509450829edb81cddf83140f5
-
SSDEEP
49152:wVPKtAZe39RT9D2PwgOWH3+E3B2EU9Dcg7ODwI5p/2QAm15fHoFN6WtljaEy93aB:EKSgtRT52nOWHrR2EUigUD5p/2QAofHl
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZJ.exe"C:\Users\Admin\AppData\Local\Temp\ZJ.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windowsfig.exe"C:\ProgramData\Windowsfig.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 24243⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 884 -ip 8841⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD540528a8ce542af784cb9958552f7798d
SHA158c5ba782f367a1d65bf712ada150fe0b5e14292
SHA25646780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc
SHA512dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a
-
Filesize
108KB
MD540528a8ce542af784cb9958552f7798d
SHA158c5ba782f367a1d65bf712ada150fe0b5e14292
SHA25646780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc
SHA512dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a
-
Filesize
108KB
MD540528a8ce542af784cb9958552f7798d
SHA158c5ba782f367a1d65bf712ada150fe0b5e14292
SHA25646780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc
SHA512dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
128KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
296KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
156KB