chinese_generic_botnet | bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10/08/2023, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe
Size

5.8MB
MD5

6fd9544ef1050f410c24a3c71a293b10
SHA1

a99a35d13239ef43191113a3279425b51a5e38cc
SHA256

bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39
SHA512

9ae03af9daf66f0056e8aec5a628f4c0870c22157e64d20ac485b2d0f8758ecbe91c6e8f71ac185b86273364fd691e03b4c3cf792ddd9697c450b6adaeac3762
SSDEEP

98304:AqVQ4tml/iUm4XHb8vFtYkQorSz9rAmLJHORm6UJamI3LeojzZARZpkAdcc6IjWF:/J+jX7oDnrSpru+W3KMZkvdagNXhJs0I

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/1432-10046-0x0000000000400000-0x000000000051F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
1432	GameLoadep.exe
2716	Terms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe
1432	GameLoadep.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	GameLoadep.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	GameLoadep.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GameLoadep.exe	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1432	GameLoadep.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe
2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1432	2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe	28
PID 2284 wrote to memory of 1432	2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe	28
PID 2284 wrote to memory of 1432	2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe	28
PID 2284 wrote to memory of 1432	2284	bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe	28

C:\Users\Admin\AppData\Local\Temp\bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe
"C:\Users\Admin\AppData\Local\Temp\bdf5c486211d8650da2c86e4864ee997ff6c752a53b52f9abf37b848ef90ee39.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\GameLoadep.exe
  C:\Windows\GameLoadep.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
memory/1432-906-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-898-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-873-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-874-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-876-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-878-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-880-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-882-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-884-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-886-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-888-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-890-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-892-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-894-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-896-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-914-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-900-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-902-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-904-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-908-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-61-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1432-910-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-63-0x0000000075640000-0x0000000075687000-memory.dmp

Filesize
284KB

Download
memory/1432-912-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-8756-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1432-918-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-920-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-922-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-924-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-926-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-928-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-930-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-932-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-934-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-2609-0x0000000001D60000-0x0000000001E60000-memory.dmp

Filesize
1024KB

Download
memory/1432-2610-0x0000000001F90000-0x0000000002111000-memory.dmp

Filesize
1.5MB

Download
memory/1432-8749-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-8751-0x0000000002120000-0x0000000002221000-memory.dmp

Filesize
1.0MB

Download
memory/1432-916-0x0000000002240000-0x0000000002351000-memory.dmp

Filesize
1.1MB

Download
memory/1432-10046-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2284-60-0x00000000035B0000-0x00000000036CF000-memory.dmp

Filesize
1.1MB

Download
memory/2284-62-0x00000000035B0000-0x00000000036CF000-memory.dmp

Filesize
1.1MB

Download
memory/2284-14945-0x00000000035B0000-0x00000000036CF000-memory.dmp

Filesize
1.1MB

Download
memory/2716-11313-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2716-11314-0x0000000001FE0000-0x0000000002161000-memory.dmp

Filesize
1.5MB

Download
memory/2716-15683-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download