chinese_generic_botnet | 6644b72d27a0d5a6cc502b3903912a7ccbd292596e946a5c532e42532191fc67

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 08:51

Target

Script.exe
Size

748KB
MD5

5cdb63f3b705ea40e664394815e2bfb2
SHA1

55d9409906a658531d963291d29b25b980061b3e
SHA256

6644b72d27a0d5a6cc502b3903912a7ccbd292596e946a5c532e42532191fc67
SHA512

b3c9057705d9bf575ca052e4cdad74acb380d2c568f71bd61238e1abf0c067b8e1e247501ce4ae46ed9a9ef96a8d4850b75bbd3c53c78929f236e6573c941a5e
SSDEEP

6144:zHzIhp/8RJg8zO65HoFN6WtljaJul+pw8T:Lkkl5HoFN6WtljaElI9T

Score

10^/10

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/4992-133-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Script.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Script.exe"	Script.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	Script.exe
4992	Script.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4992	Script.exe