chinese_generic_botnet | 92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2023 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe
Size

5.8MB
MD5

ced08f8395b6a15695f274634dd4ae84
SHA1

64354574c1a2f6e0b9be3985770169a29d0e7ba7
SHA256

92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb
SHA512

3dfd94f34c38739ea12c81eb9a6e0d3d8c03645f9ad5b264ef5d2e1bf7ddbc927ebaea442c0f0406adea0b27d4cc484eff7c91118aa0ce74eb5b576cb3d40dec
SSDEEP

98304:AqVQ4tml/iUm4XHb8vFtYkQprSz9rAmLJHORm6UJamI3LeojzZARZpkAdcc6IjWF:/J+jX7oDarSpru+W3KMZkvdagNXhJs0I

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 3 IoCs

botnet

resource	yara_rule
behavioral2/memory/5104-13215-0x0000000000400000-0x000000000051F000-memory.dmp	unk_chinese_botnet
behavioral2/memory/5104-13216-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/5104-13219-0x0000000000400000-0x000000000051F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
5104	GameLoadep.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Terms.exe = "C:\\Windows\\GameLoadep.exe"	GameLoadep.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe
5104	GameLoadep.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GameLoadep.exe	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	GameLoadep.exe
5104	GameLoadep.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1160	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe
1160	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 5104	1160	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe	83
PID 1160 wrote to memory of 5104	1160	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe	83
PID 1160 wrote to memory of 5104	1160	92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe	83

C:\Users\Admin\AppData\Local\Temp\92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe
"C:\Users\Admin\AppData\Local\Temp\92349dddb5f9f274b30358a78b8eb1d88df9cca2937663f256fb7c2c4d756cbb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\GameLoadep.exe
  C:\Windows\GameLoadep.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
memory/1160-5899-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1160-134-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1160-5900-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/5104-6025-0x0000000076700000-0x000000007677A000-memory.dmp

Filesize
488KB

Download
memory/5104-4014-0x0000000076820000-0x00000000769C0000-memory.dmp

Filesize
1.6MB

Download
memory/5104-140-0x0000000076390000-0x00000000765A5000-memory.dmp

Filesize
2.1MB

Download
memory/5104-138-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5104-13210-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5104-13211-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5104-13213-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5104-13214-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5104-13215-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5104-13216-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/5104-13219-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download