chinese_generic_botnet | 60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Size

4.2MB
MD5

e4448e2f5df5a13e04ce120a3e5707e4
SHA1

906d2f49e761112d3c4946f0019b4e4a6e22c4f7
SHA256

60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad
SHA512

a2301da8b85c381844215e83d936d11a87b0cec35ae6df73482a1fe0925b88b1ea162a307032585b91a71e3a7220ff4fa28b3408760febbff660667c1921e5a1
SSDEEP

98304:Q+HVb4W8QC49un+EI1VybU3pWW1Yvqr9O3t4fq98lRvIY:Q+HJ8l49O+b6F3+fm8lRAY

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/1344-86-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet
behavioral1/memory/1344-91-0x0000000000400000-0x00000000007E0000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

pid	Process
2984	sg.tmp
2996	辅助.exe
1344	QProtect.exe

Loads dropped DLL 4 IoCs

pid	Process
1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
2996	辅助.exe
2996	辅助.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QProtect = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~7187534447904897272\\QProtect.exe"	辅助.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Terms.exe"	QProtect.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	QProtect.exe
File opened (read-only)	\??\T:	QProtect.exe
File opened (read-only)	\??\Y:	QProtect.exe
File opened (read-only)	\??\E:	QProtect.exe
File opened (read-only)	\??\I:	QProtect.exe
File opened (read-only)	\??\N:	QProtect.exe
File opened (read-only)	\??\P:	QProtect.exe
File opened (read-only)	\??\Q:	QProtect.exe
File opened (read-only)	\??\B:	QProtect.exe
File opened (read-only)	\??\H:	QProtect.exe
File opened (read-only)	\??\L:	QProtect.exe
File opened (read-only)	\??\X:	QProtect.exe
File opened (read-only)	\??\Z:	QProtect.exe
File opened (read-only)	\??\K:	QProtect.exe
File opened (read-only)	\??\U:	QProtect.exe
File opened (read-only)	\??\V:	QProtect.exe
File opened (read-only)	\??\O:	QProtect.exe
File opened (read-only)	\??\R:	QProtect.exe
File opened (read-only)	\??\W:	QProtect.exe
File opened (read-only)	\??\G:	QProtect.exe
File opened (read-only)	\??\J:	QProtect.exe
File opened (read-only)	\??\M:	QProtect.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs

pid	Process
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Terms.exe	QProtect.exe
File opened for modification	C:\Windows\Terms.exe	QProtect.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1344	QProtect.exe
1344	QProtect.exe
1344	QProtect.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: SeRestorePrivilege	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: 33	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: SeIncBasePriorityPrivilege	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: 33	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: SeIncBasePriorityPrivilege	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: 33	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: SeIncBasePriorityPrivilege	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: SeRestorePrivilege	2984	sg.tmp
Token: 35	2984	sg.tmp
Token: SeSecurityPrivilege	2984	sg.tmp
Token: SeSecurityPrivilege	2984	sg.tmp
Token: 33	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
Token: SeIncBasePriorityPrivilege	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2996	辅助.exe
2996	辅助.exe
1344	QProtect.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1748	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	28
PID 1928 wrote to memory of 1748	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	28
PID 1928 wrote to memory of 1748	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	28
PID 1928 wrote to memory of 1748	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	28
PID 1928 wrote to memory of 2984	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	30
PID 1928 wrote to memory of 2984	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	30
PID 1928 wrote to memory of 2984	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	30
PID 1928 wrote to memory of 2984	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	30
PID 1928 wrote to memory of 2996	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	32
PID 1928 wrote to memory of 2996	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	32
PID 1928 wrote to memory of 2996	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	32
PID 1928 wrote to memory of 2996	1928	60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe	32
PID 2996 wrote to memory of 1344	2996	辅助.exe	33
PID 2996 wrote to memory of 1344	2996	辅助.exe	33
PID 2996 wrote to memory of 1344	2996	辅助.exe	33
PID 2996 wrote to memory of 1344	2996	辅助.exe	33

C:\Users\Admin\AppData\Local\Temp\60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe
"C:\Users\Admin\AppData\Local\Temp\60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\~5648734933319007734~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\60df4b2fb38fbf4225a15b143b9017b8c226136ad19ea12d91002b284f89cdad.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7187534447904897272"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\辅助.exe
  "C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\辅助.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\QProtect.exe
    C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\QProtect.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~5648734933319007734~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\QProtect.exe

Filesize
2.8MB

MD5
212233d550805d2f51b9a9cc9139382e

SHA1
cc6c76aabe9cd23dc4af9f1bc6a3bb359d0eece5

SHA256
362d52c286f123d73c4ba39c1fb034d9fd954c185200bc5c3557c9c68e81c23d

SHA512
65cfef6ceaa7f5feeb0210814d19c8cc584233d86a95b17c039edd2addb3083c625b48f4f9dcabe7f8951f378a985c2f6c200a488f06d50c9fcda1dc859dd3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\QProtect.exe

Filesize
2.8MB

MD5
212233d550805d2f51b9a9cc9139382e

SHA1
cc6c76aabe9cd23dc4af9f1bc6a3bb359d0eece5

SHA256
362d52c286f123d73c4ba39c1fb034d9fd954c185200bc5c3557c9c68e81c23d

SHA512
65cfef6ceaa7f5feeb0210814d19c8cc584233d86a95b17c039edd2addb3083c625b48f4f9dcabe7f8951f378a985c2f6c200a488f06d50c9fcda1dc859dd3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\辅助.exe

Filesize
668KB

MD5
61d5400899bcb5ca8fef956a0130371e

SHA1
f0332f978a7308d26afa3701e1b35237133bbab0

SHA256
f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

SHA512
91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7187534447904897272\辅助.exe

Filesize
668KB

MD5
61d5400899bcb5ca8fef956a0130371e

SHA1
f0332f978a7308d26afa3701e1b35237133bbab0

SHA256
f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

SHA512
91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

Download Submit
\Users\Admin\AppData\Local\Temp\~5648734933319007734~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~7187534447904897272\QProtect.exe

Filesize
2.8MB

MD5
212233d550805d2f51b9a9cc9139382e

SHA1
cc6c76aabe9cd23dc4af9f1bc6a3bb359d0eece5

SHA256
362d52c286f123d73c4ba39c1fb034d9fd954c185200bc5c3557c9c68e81c23d

SHA512
65cfef6ceaa7f5feeb0210814d19c8cc584233d86a95b17c039edd2addb3083c625b48f4f9dcabe7f8951f378a985c2f6c200a488f06d50c9fcda1dc859dd3e2

Download Submit
\Users\Admin\AppData\Local\Temp\~7187534447904897272\QProtect.exe

Filesize
2.8MB

MD5
212233d550805d2f51b9a9cc9139382e

SHA1
cc6c76aabe9cd23dc4af9f1bc6a3bb359d0eece5

SHA256
362d52c286f123d73c4ba39c1fb034d9fd954c185200bc5c3557c9c68e81c23d

SHA512
65cfef6ceaa7f5feeb0210814d19c8cc584233d86a95b17c039edd2addb3083c625b48f4f9dcabe7f8951f378a985c2f6c200a488f06d50c9fcda1dc859dd3e2

Download Submit
\Users\Admin\AppData\Local\Temp\~7187534447904897272\辅助.exe

Filesize
668KB

MD5
61d5400899bcb5ca8fef956a0130371e

SHA1
f0332f978a7308d26afa3701e1b35237133bbab0

SHA256
f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

SHA512
91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

Download Submit
memory/1344-77-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-79-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-80-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-84-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-82-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-81-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-85-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/1344-86-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1344-91-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2996-76-0x0000000002080000-0x0000000002460000-memory.dmp

Filesize
3.9MB

Download
memory/2996-78-0x0000000002080000-0x0000000002460000-memory.dmp

Filesize
3.9MB

Download
memory/2996-100-0x0000000002080000-0x0000000002460000-memory.dmp

Filesize
3.9MB

Download