chinese_generic_botnet | 65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

General

Target

tmp.exe
Size

1.1MB
MD5

700fc96585a4947fcdf27a271d40876f
SHA1

121edbdefb9a894ff217f20c963626ec1bd94770
SHA256

65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa
SHA512

748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e
SSDEEP

12288:VMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9FC9/W74Vf:VnsJ39LyjbJkQFMhmC+6GD9mW7S

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/4388-262-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

pid	Process
4388	._cache_tmp.exe
4192	Synaptics.exe
1752	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Terms.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Terms.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_tmp.exe"	._cache_tmp.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	._cache_Synaptics.exe
File opened (read-only)	\??\G:	._cache_Synaptics.exe
File opened (read-only)	\??\L:	._cache_Synaptics.exe
File opened (read-only)	\??\Q:	._cache_Synaptics.exe
File opened (read-only)	\??\I:	._cache_Synaptics.exe
File opened (read-only)	\??\J:	._cache_Synaptics.exe
File opened (read-only)	\??\N:	._cache_Synaptics.exe
File opened (read-only)	\??\R:	._cache_Synaptics.exe
File opened (read-only)	\??\S:	._cache_Synaptics.exe
File opened (read-only)	\??\W:	._cache_Synaptics.exe
File opened (read-only)	\??\E:	._cache_Synaptics.exe
File opened (read-only)	\??\K:	._cache_Synaptics.exe
File opened (read-only)	\??\M:	._cache_Synaptics.exe
File opened (read-only)	\??\P:	._cache_Synaptics.exe
File opened (read-only)	\??\T:	._cache_Synaptics.exe
File opened (read-only)	\??\U:	._cache_Synaptics.exe
File opened (read-only)	\??\X:	._cache_Synaptics.exe
File opened (read-only)	\??\Z:	._cache_Synaptics.exe
File opened (read-only)	\??\H:	._cache_Synaptics.exe
File opened (read-only)	\??\O:	._cache_Synaptics.exe
File opened (read-only)	\??\V:	._cache_Synaptics.exe
File opened (read-only)	\??\Y:	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1752	._cache_Synaptics.exe
1752	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4388	4108	tmp.exe	83
PID 4108 wrote to memory of 4388	4108	tmp.exe	83
PID 4108 wrote to memory of 4388	4108	tmp.exe	83
PID 4108 wrote to memory of 4192	4108	tmp.exe	84
PID 4108 wrote to memory of 4192	4108	tmp.exe	84
PID 4108 wrote to memory of 4192	4108	tmp.exe	84
PID 4192 wrote to memory of 1752	4192	Synaptics.exe	85
PID 4192 wrote to memory of 1752	4192	Synaptics.exe	85
PID 4192 wrote to memory of 1752	4192	Synaptics.exe	85

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4388
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
700fc96585a4947fcdf27a271d40876f

SHA1
121edbdefb9a894ff217f20c963626ec1bd94770

SHA256
65a0ece86fe16402e51a637d121bddccfa0d1d026bd0cec7f7ead19c31507eaa

SHA512
748d5fd5421bdb51421dc9a33c2a4ca93a66d1afcdeb03a766513b81e05a337e52ad3fdacb852e8e037e7dfffdb3e6cfec3fe376d885a8c8b8da5188cd4c032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
352KB

MD5
e76dbb2f998c3ccf78e984001c9207c8

SHA1
9c27f473c6d8529f77fdfaac6615265d096b4f85

SHA256
ac5afced6515d12cf83466ea2dc0e874c9b5491beba0837a344e0e6093febc07

SHA512
ed1eea5ef6d894cb460c00a78bb8363159c6afd52d94446b48c644088d3aae0319411175112385d4e92d2f6bd5b89c03b0f6f140eb24d4b72848b8e2b1105b34

Download Submit
memory/4108-237-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4108-133-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4192-234-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4192-275-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4192-276-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4192-302-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4388-262-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads