chinese_generic_botnet | e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10/08/2023, 11:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe
Size

5.8MB
MD5

3d44528e2d3c0384e98d1e97ffaf819a
SHA1

51d7fc29e685708839d30611489ce2e9022949eb
SHA256

e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8
SHA512

2ab6df1e78f3c42d30745286e19bf8f559a97677bc1d7d53337e3c9418fc489d6df109376df2f320718d2b72fb0be5c71218eb2d31f47c9d8b98300245eaf9c7
SSDEEP

98304:AqVQ4tml/iUm4XHb8vFtYkQBrSz9rAmLJHORm6UJamI3LeojzZARZpkAdcc6IjWF:/J+jX7oDqrSpru+W3KMZkvdagNXhJs0I

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2644-8763-0x0000000000400000-0x000000000051F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
2644	GameLoadep.exe
2652	Terms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe
2644	GameLoadep.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	GameLoadep.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	GameLoadep.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GameLoadep.exe	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2644	GameLoadep.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe
2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2644	2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe	28
PID 2572 wrote to memory of 2644	2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe	28
PID 2572 wrote to memory of 2644	2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe	28
PID 2572 wrote to memory of 2644	2572	e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe	28

C:\Users\Admin\AppData\Local\Temp\e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe
"C:\Users\Admin\AppData\Local\Temp\e66af925847f8d944290b151b96890967dee344edff64e20c97c10b566edfee8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\GameLoadep.exe
  C:\Windows\GameLoadep.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
PID:2652

Network

No results found

106.52.15.123:80

GameLoadep.exe

152 B
80 B
3
2
106.52.15.123:80

GameLoadep.exe

152 B
80 B
3
2
36.111.172.221:8000

GameLoadep.exe

152 B
80 B
3
2
36.111.172.221:8000

GameLoadep.exe

152 B
80 B
3
2
36.111.172.221:8000

GameLoadep.exe

152 B
120 B
3
3
36.111.172.221:8000

GameLoadep.exe

152 B
120 B
3
3
36.111.172.221:8000

GameLoadep.exe

152 B
120 B
3
3
36.111.172.221:8000

GameLoadep.exe

152 B
40 B
3
1
36.111.172.221:8000

GameLoadep.exe

104 B
2

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
C:\Windows\GameLoadep.exe

Filesize
864KB

MD5
645a7e5dc4adc68141447b01cb9cec49

SHA1
2f83beeb3031aa238c8eba4ae04398ff38274780

SHA256
76931bce0663f68f95a46414d389042181c690749eed44cb09aae325a0b9ef17

SHA512
fdf56fcacc1b43c94bd2811ad3926706f7382fc1d3e20c58b050cf254019c3b6226d0ffa8d4ba6aec259d3a99cb63d06d02156dd6dabab59b91418ba462885de

Download Submit
memory/2572-61-0x00000000035D0000-0x00000000036EF000-memory.dmp

Filesize
1.1MB

Download
memory/2572-63-0x00000000035D0000-0x00000000036EF000-memory.dmp

Filesize
1.1MB

Download
memory/2572-10354-0x00000000035D0000-0x00000000036EF000-memory.dmp

Filesize
1.1MB

Download
memory/2644-907-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-915-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-875-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-877-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-874-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-879-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-881-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-883-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-885-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-887-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-889-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-891-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-893-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-895-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-897-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-899-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-901-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-903-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-905-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-62-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2644-909-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-911-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-913-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-64-0x00000000769C0000-0x0000000076A07000-memory.dmp

Filesize
284KB

Download
memory/2644-917-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-919-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-921-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-923-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-925-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-927-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-929-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-931-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-933-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-935-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-2610-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2644-2611-0x0000000002120000-0x00000000022A1000-memory.dmp

Filesize
1.5MB

Download
memory/2644-4162-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2644-8751-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/2644-8753-0x0000000001E90000-0x0000000001F91000-memory.dmp

Filesize
1.0MB

Download
memory/2644-8758-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2644-8763-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2652-11317-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2652-11318-0x0000000001EF0000-0x0000000002071000-memory.dmp

Filesize
1.5MB

Download
memory/2652-12817-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2652-14656-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download