chinese_generic_botnet | 8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0

Analysis

max time kernel
149s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-04-2023 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe
Size

3.4MB
MD5

3651d9ca9d9a43985750f0de73f0c807
SHA1

15810e62673e4625b4c8c61ad37f4b48a4760f55
SHA256

8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0
SHA512

23f604c116eea0d4212740594eefe0b044d6e088fad17bbc073c97923e31cb28b53a570a375adf012dbb7f797827595e48bf9a781913f4c08ae0125e0d0a5e05
SSDEEP

98304:Ps+xhKoQJBwKhJ+O+uiXAqSuuWHoFN6WtljaEy9oFLOAkGkzdnEVomFHKnP:5oJpQAqSudHmN6WtljaEyqFLOyomFHKP

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/3272-121-0x0000000000C60000-0x0000000000C86000-memory.dmp	unk_chinese_botnet
behavioral1/memory/3272-122-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3244	Windowsfig.exe
4436	Winconfig.exe
4180	WINKK.exe

Loads dropped DLL 1 IoCs

pid	Process
4436	Winconfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3244	Windowsfig.exe
3244	Windowsfig.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	Windowsfig.exe
Token: SeIncreaseQuotaPrivilege	3244	Windowsfig.exe
Token: SeSecurityPrivilege	3244	Windowsfig.exe
Token: SeTakeOwnershipPrivilege	3244	Windowsfig.exe
Token: SeLoadDriverPrivilege	3244	Windowsfig.exe
Token: SeSystemProfilePrivilege	3244	Windowsfig.exe
Token: SeSystemtimePrivilege	3244	Windowsfig.exe
Token: SeProfSingleProcessPrivilege	3244	Windowsfig.exe
Token: SeIncBasePriorityPrivilege	3244	Windowsfig.exe
Token: SeCreatePagefilePrivilege	3244	Windowsfig.exe
Token: SeBackupPrivilege	3244	Windowsfig.exe
Token: SeRestorePrivilege	3244	Windowsfig.exe
Token: SeShutdownPrivilege	3244	Windowsfig.exe
Token: SeDebugPrivilege	3244	Windowsfig.exe
Token: SeSystemEnvironmentPrivilege	3244	Windowsfig.exe
Token: SeRemoteShutdownPrivilege	3244	Windowsfig.exe
Token: SeUndockPrivilege	3244	Windowsfig.exe
Token: SeManageVolumePrivilege	3244	Windowsfig.exe
Token: 33	3244	Windowsfig.exe
Token: 34	3244	Windowsfig.exe
Token: 35	3244	Windowsfig.exe
Token: 36	3244	Windowsfig.exe
Token: SeIncreaseQuotaPrivilege	3244	Windowsfig.exe
Token: SeSecurityPrivilege	3244	Windowsfig.exe
Token: SeTakeOwnershipPrivilege	3244	Windowsfig.exe
Token: SeLoadDriverPrivilege	3244	Windowsfig.exe
Token: SeSystemProfilePrivilege	3244	Windowsfig.exe
Token: SeSystemtimePrivilege	3244	Windowsfig.exe
Token: SeProfSingleProcessPrivilege	3244	Windowsfig.exe
Token: SeIncBasePriorityPrivilege	3244	Windowsfig.exe
Token: SeCreatePagefilePrivilege	3244	Windowsfig.exe
Token: SeBackupPrivilege	3244	Windowsfig.exe
Token: SeRestorePrivilege	3244	Windowsfig.exe
Token: SeShutdownPrivilege	3244	Windowsfig.exe
Token: SeDebugPrivilege	3244	Windowsfig.exe
Token: SeSystemEnvironmentPrivilege	3244	Windowsfig.exe
Token: SeRemoteShutdownPrivilege	3244	Windowsfig.exe
Token: SeUndockPrivilege	3244	Windowsfig.exe
Token: SeManageVolumePrivilege	3244	Windowsfig.exe
Token: 33	3244	Windowsfig.exe
Token: 34	3244	Windowsfig.exe
Token: 35	3244	Windowsfig.exe
Token: 36	3244	Windowsfig.exe
Token: SeIncreaseQuotaPrivilege	3244	Windowsfig.exe
Token: SeSecurityPrivilege	3244	Windowsfig.exe
Token: SeTakeOwnershipPrivilege	3244	Windowsfig.exe
Token: SeLoadDriverPrivilege	3244	Windowsfig.exe
Token: SeSystemProfilePrivilege	3244	Windowsfig.exe
Token: SeSystemtimePrivilege	3244	Windowsfig.exe
Token: SeProfSingleProcessPrivilege	3244	Windowsfig.exe
Token: SeIncBasePriorityPrivilege	3244	Windowsfig.exe
Token: SeCreatePagefilePrivilege	3244	Windowsfig.exe
Token: SeBackupPrivilege	3244	Windowsfig.exe
Token: SeRestorePrivilege	3244	Windowsfig.exe
Token: SeShutdownPrivilege	3244	Windowsfig.exe
Token: SeDebugPrivilege	3244	Windowsfig.exe
Token: SeSystemEnvironmentPrivilege	3244	Windowsfig.exe
Token: SeRemoteShutdownPrivilege	3244	Windowsfig.exe
Token: SeUndockPrivilege	3244	Windowsfig.exe
Token: SeManageVolumePrivilege	3244	Windowsfig.exe
Token: 33	3244	Windowsfig.exe
Token: 34	3244	Windowsfig.exe
Token: 35	3244	Windowsfig.exe
Token: 36	3244	Windowsfig.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 3244	3272	8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe	66
PID 3272 wrote to memory of 3244	3272	8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe	66
PID 3272 wrote to memory of 3244	3272	8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe	66
PID 3272 wrote to memory of 1096	3272	8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe	67
PID 3272 wrote to memory of 1096	3272	8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe	67
PID 3272 wrote to memory of 1096	3272	8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe	67
PID 4436 wrote to memory of 4180	4436	Winconfig.exe	71
PID 4436 wrote to memory of 4180	4436	Winconfig.exe	71
PID 4436 wrote to memory of 4180	4436	Winconfig.exe	71

C:\Users\Admin\AppData\Local\Temp\8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe
"C:\Users\Admin\AppData\Local\Temp\8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3272
- C:\ProgramData\Windowsfig.exe
  "C:\ProgramData\Windowsfig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
  2⤵
  PID:1096

C:\ProgramData\Winconfig.exe
C:\ProgramData\Winconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4436
- C:\ProgramData\WINKK.exe
  "C:\ProgramData\WINKK.exe"
  2⤵
  - Executes dropped EXE
  PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UnityPlayer.dll

Filesize
92KB

MD5
615f37809421be3fd37d2bcf3d8272fc

SHA1
1c720cbf56e120f33dbe0fc9303ab53fc6396fcb

SHA256
b74fca4f5b6486bc33257bbecf8f155bab992af35c2178575b744a1a27f634da

SHA512
074a80652596894f75afd6eb9c40eb6b5373bc414b37df32765ca611999dad7c0e0cc7906c54c81678144907bc6178650160ad98cdcb4fd29ab03bc9d84d9179

Download Submit
C:\ProgramData\WINKK.exe

Filesize
3.4MB

MD5
3651d9ca9d9a43985750f0de73f0c807

SHA1
15810e62673e4625b4c8c61ad37f4b48a4760f55

SHA256
8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0

SHA512
23f604c116eea0d4212740594eefe0b044d6e088fad17bbc073c97923e31cb28b53a570a375adf012dbb7f797827595e48bf9a781913f4c08ae0125e0d0a5e05

Download Submit
C:\ProgramData\WINKK.exe

Filesize
3.4MB

MD5
3651d9ca9d9a43985750f0de73f0c807

SHA1
15810e62673e4625b4c8c61ad37f4b48a4760f55

SHA256
8e4856e97753bf0e0c73b10d7d7891968e347b73dd2b506e6308d7bca7af0dd0

SHA512
23f604c116eea0d4212740594eefe0b044d6e088fad17bbc073c97923e31cb28b53a570a375adf012dbb7f797827595e48bf9a781913f4c08ae0125e0d0a5e05

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
624KB

MD5
a016b34be004c76919b9a0635ad05e2b

SHA1
b214b1cc968b9e9afda12b394b6115e0a54f1598

SHA256
675c978dac587a7e694c93a5d40d11493807d66998c6f2eb6944c1528c96534a

SHA512
e087668790d8843c8ea4ef61c6cc176e8abec94f0af5a4b4769e853bfa7baa06655c44718ff974c01b4addd93f57184926b00ddbacf1e35e2aa5afd0f46c2f73

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
108KB

MD5
40528a8ce542af784cb9958552f7798d

SHA1
58c5ba782f367a1d65bf712ada150fe0b5e14292

SHA256
46780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc

SHA512
dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
108KB

MD5
40528a8ce542af784cb9958552f7798d

SHA1
58c5ba782f367a1d65bf712ada150fe0b5e14292

SHA256
46780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc

SHA512
dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
108KB

MD5
40528a8ce542af784cb9958552f7798d

SHA1
58c5ba782f367a1d65bf712ada150fe0b5e14292

SHA256
46780be1f3276ff325e105b85d5cac13b1eae75b04d17340bca01c7d63027cfc

SHA512
dad82f72882e2a7ca2fe4cea7360150bdffe394dca582f7afdc378ff6e77578e3dd12da668bf2297532b3d2475d97838571cca6343c4a7515d26449acf287e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ib3volhh.bz1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\ProgramData\UnityPlayer.dll

Filesize
92KB

MD5
615f37809421be3fd37d2bcf3d8272fc

SHA1
1c720cbf56e120f33dbe0fc9303ab53fc6396fcb

SHA256
b74fca4f5b6486bc33257bbecf8f155bab992af35c2178575b744a1a27f634da

SHA512
074a80652596894f75afd6eb9c40eb6b5373bc414b37df32765ca611999dad7c0e0cc7906c54c81678144907bc6178650160ad98cdcb4fd29ab03bc9d84d9179

Download Submit
memory/3244-160-0x0000000008550000-0x000000000859A000-memory.dmp

Filesize
296KB

Download
memory/3244-164-0x000000000A2F0000-0x000000000A33B000-memory.dmp

Filesize
300KB

Download
memory/3244-153-0x00000000082A0000-0x00000000082D6000-memory.dmp

Filesize
216KB

Download
memory/3244-154-0x0000000009390000-0x0000000009A08000-memory.dmp

Filesize
6.5MB

Download
memory/3244-155-0x0000000008380000-0x0000000008414000-memory.dmp

Filesize
592KB

Download
memory/3244-156-0x0000000008310000-0x0000000008332000-memory.dmp

Filesize
136KB

Download
memory/3244-157-0x0000000008490000-0x00000000084F6000-memory.dmp

Filesize
408KB

Download
memory/3244-158-0x0000000009A10000-0x0000000009F0E000-memory.dmp

Filesize
5.0MB

Download
memory/3244-159-0x0000000008450000-0x000000000846C000-memory.dmp

Filesize
112KB

Download
memory/3244-147-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/3244-161-0x0000000009F10000-0x000000000A260000-memory.dmp

Filesize
3.3MB

Download
memory/3244-162-0x0000000009130000-0x0000000009196000-memory.dmp

Filesize
408KB

Download
memory/3244-163-0x00000000092D0000-0x00000000092F2000-memory.dmp

Filesize
136KB

Download
memory/3244-152-0x0000000008240000-0x000000000825A000-memory.dmp

Filesize
104KB

Download
memory/3244-165-0x000000000A450000-0x000000000A4C6000-memory.dmp

Filesize
472KB

Download
memory/3244-151-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3244-174-0x00000000071B0000-0x00000000071CE000-memory.dmp

Filesize
120KB

Download
memory/3244-175-0x00000000071E0000-0x0000000007285000-memory.dmp

Filesize
660KB

Download
memory/3244-176-0x00000000FE410000-0x00000000FE420000-memory.dmp

Filesize
64KB

Download
memory/3244-177-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3244-178-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3244-179-0x0000000004F50000-0x0000000004F83000-memory.dmp

Filesize
204KB

Download
memory/3244-150-0x00000000086E0000-0x0000000008D08000-memory.dmp

Filesize
6.2MB

Download
memory/3244-149-0x00000000024D0000-0x00000000024D6000-memory.dmp

Filesize
24KB

Download
memory/3244-148-0x0000000000A10000-0x0000000000A2E000-memory.dmp

Filesize
120KB

Download
memory/3272-121-0x0000000000C60000-0x0000000000C86000-memory.dmp

Filesize
152KB

Download
memory/3272-122-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download