Overview

overview

10

Static

static

3

17fc24f9a2...52.exe

windows7-x64

10

17fc24f9a2...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2023, 10:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    17fc24f9a27d576de75bf22be948be15cc93d2906538f34ad114bc66ced60452.exe

  • Size

    3.1MB

  • MD5

    9fa976d52ae40dc1f3b3b13dc6c76140

  • SHA1

    3d1595588f5e16b65357f60795da96ab5249fbfb

  • SHA256

    17fc24f9a27d576de75bf22be948be15cc93d2906538f34ad114bc66ced60452

  • SHA512

    384d04f1476e2e8d5a2ccfd0334afe80421f1a5303758240d00cc6d667e2de0362f6cbcd02fb276f012b28ea4af54ba14228f870269266c9a9d7c25cc488c7e0

  • SSDEEP

    98304:O+QAqz6e1viI01SalmZhphU1JwYFLOAkGkzdnEVomFHKnP:O/5vRhphU1nFLOyomFHKnP

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 2 IoCs
    botnet
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17fc24f9a27d576de75bf22be948be15cc93d2906538f34ad114bc66ced60452.exe
    "C:\Users\Admin\AppData\Local\Temp\17fc24f9a27d576de75bf22be948be15cc93d2906538f34ad114bc66ced60452.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "md C:\ProgramData\e260"
      2⤵
        PID:1108
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\ProgramData\e260
        2⤵
        • Modifies registry class
        PID:2316
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4484
      • C:\ProgramData\e260\word.exe
        "C:\ProgramData\e260\word.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:3760

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\e260\word.exe
        Filesize

        398KB

        MD5

        f13f5ac8b89c9ac8d02d1ef7cf9bdf0a

        SHA1

        a65ffcc750e84e3fdc6e56829ccd77229d73eee9

        SHA256

        1649152cf5eb988b0c02f413a29ec20fcd452e0c5aafd63406b1a7a9062c8a85

        SHA512

        0214670c60caaf1800704f6a93691f820a363b367a374584c6f56ea0497b1896db2d16c004315f16bfb65069ecbf53bf4b2f9ad34c6d8ba4b006c6482c9a5a40

        Download Submit

      • C:\ProgramData\e260\word.exe
        Filesize

        398KB

        MD5

        f13f5ac8b89c9ac8d02d1ef7cf9bdf0a

        SHA1

        a65ffcc750e84e3fdc6e56829ccd77229d73eee9

        SHA256

        1649152cf5eb988b0c02f413a29ec20fcd452e0c5aafd63406b1a7a9062c8a85

        SHA512

        0214670c60caaf1800704f6a93691f820a363b367a374584c6f56ea0497b1896db2d16c004315f16bfb65069ecbf53bf4b2f9ad34c6d8ba4b006c6482c9a5a40

        Download Submit

      • C:\ProgramData\e260\wwlib.dll
        Filesize

        105KB

        MD5

        8a716251a6ab1432e5ab4d6b206fb7aa

        SHA1

        c71df9277dc5a31146812f0f785e6d36ebeb2ed3

        SHA256

        d9b22ed4b440a83c858b8d741d1aa2cf7576f1887359fca163266917bdecd3bc

        SHA512

        dc8d5c62d202aa836f473535a1d4be6ac5098a8d81307c9c50c8028d693175aeeebfd028b3efcc5d80278023f945434395469812e0d89421d27abc58887b71f3

        Download Submit

      • C:\ProgramData\e260\wwlib.dll
        Filesize

        105KB

        MD5

        8a716251a6ab1432e5ab4d6b206fb7aa

        SHA1

        c71df9277dc5a31146812f0f785e6d36ebeb2ed3

        SHA256

        d9b22ed4b440a83c858b8d741d1aa2cf7576f1887359fca163266917bdecd3bc

        SHA512

        dc8d5c62d202aa836f473535a1d4be6ac5098a8d81307c9c50c8028d693175aeeebfd028b3efcc5d80278023f945434395469812e0d89421d27abc58887b71f3

        Download Submit

      • memory/3760-145-0x000000002FF20000-0x000000002FF86000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3760-146-0x0000000001150000-0x0000000001176000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3760-147-0x000000002FF20000-0x000000002FF86000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3760-148-0x0000000010000000-0x0000000010027000-memory.dmp

        Filesize

        156KB

        Download