chinese_generic_botnet | f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2023, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe
Size

5.8MB
MD5

16a2507de605b6a55d68ef1d376d1a9d
SHA1

6f4514a456804ffc7f3edf3d6b72059df95201b1
SHA256

f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab
SHA512

facf23c25431b03aa615a8330e1978ec1ac4568ff7e21867b6bb09ad777a369fed97bb29a7277c449e5ca3183aff9ed83e252b23c5e5aa6f95712dab505339b1
SSDEEP

98304:AqVQ4tml/iUm4XHb8vFtYkQ1rSz9rAmLJHORm6UJamI3LeojzZARZpkAdcc6IjWF:/J+jX7oDCrSpru+W3KMZkvdagNXhJs0I

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/2864-13216-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/2864-13219-0x0000000000400000-0x000000000051F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
2864	GameLoadep.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Terms.exe = "C:\\Windows\\GameLoadep.exe"	GameLoadep.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe
2864	GameLoadep.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GameLoadep.exe	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2864	GameLoadep.exe
2864	GameLoadep.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2544	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe
2544	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2864	2544	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe	80
PID 2544 wrote to memory of 2864	2544	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe	80
PID 2544 wrote to memory of 2864	2544	f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe	80

C:\Users\Admin\AppData\Local\Temp\f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe
"C:\Users\Admin\AppData\Local\Temp\f7645bad6a4c17d537b1a4e2f87bb08b3aa96641aa3252c190a1dae69ee411ab.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\GameLoadep.exe
  C:\Windows\GameLoadep.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
memory/2544-7392-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2544-134-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2544-136-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2544-7394-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2864-4015-0x00000000768D0000-0x0000000076A70000-memory.dmp

Filesize
1.6MB

Download
memory/2864-6024-0x0000000075BC0000-0x0000000075C3A000-memory.dmp

Filesize
488KB

Download
memory/2864-140-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2864-141-0x00000000765B0000-0x00000000767C5000-memory.dmp

Filesize
2.1MB

Download
memory/2864-13211-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2864-13212-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2864-13214-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2864-13215-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2864-13216-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2864-13219-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download