chinese_generic_botnet | 3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28-08-2023 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe
Size

2.1MB
MD5

b3bb7c073196991ff4f81b73c7ac4949
SHA1

fe77f7d5a1e44c1a745173b3489a8e28538d7e12
SHA256

3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab
SHA512

46faf5d44df28a975459c4fa4235da740b85d075be3e3b7c3ae988cfc67c67a9319ebe5310e982545a0b42eb11987eca312f2aeb0697fe3cd7c8c3402fb5ba96
SSDEEP

49152:Hu0h+pnUDg4RbasV1Tuh/iRdwbSpjJV5QHzMFn1fx:Hu0hrEcjV1Tq/iRdxpjJV5QHzMF

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/2656-59-0x0000000000100000-0x0000000000126000-memory.dmp	unk_chinese_botnet
behavioral1/memory/2656-61-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2656	word.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	word.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\ProgramData\\e260\\word.exe"	word.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2476	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	28
PID 2912 wrote to memory of 2476	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	28
PID 2912 wrote to memory of 2476	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	28
PID 2912 wrote to memory of 2476	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	28
PID 2912 wrote to memory of 324	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	33
PID 2912 wrote to memory of 324	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	33
PID 2912 wrote to memory of 324	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	33
PID 2912 wrote to memory of 324	2912	3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe	33

C:\Users\Admin\AppData\Local\Temp\3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe
"C:\Users\Admin\AppData\Local\Temp\3f2fda494e6b41176f91f9cf23f66e1001a3873085cb67b090f4de2d2dd6b8ab.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "md C:\ProgramData\e260"
  2⤵
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\ProgramData\e260
  2⤵
  PID:324

C:\ProgramData\e260\word.exe
"C:\ProgramData\e260\word.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\e260\word.exe

Filesize
398KB

MD5
f13f5ac8b89c9ac8d02d1ef7cf9bdf0a

SHA1
a65ffcc750e84e3fdc6e56829ccd77229d73eee9

SHA256
1649152cf5eb988b0c02f413a29ec20fcd452e0c5aafd63406b1a7a9062c8a85

SHA512
0214670c60caaf1800704f6a93691f820a363b367a374584c6f56ea0497b1896db2d16c004315f16bfb65069ecbf53bf4b2f9ad34c6d8ba4b006c6482c9a5a40

Download Submit
C:\ProgramData\e260\wwlib.dll

Filesize
91KB

MD5
696d87e338df44822b76dbb6207879b8

SHA1
c1142ca38f4185d315315ef3797f10da6bda9c8a

SHA256
f33daae3633ce2d1870bcf5a96c331576c88f6f4ba5b27ddc4d613749c9330bd

SHA512
bb4bb8ca6945a3a828ac7ad905c80eb22523a42fba38565f9df14266abda844d180257bc218c98ff17c14a12c198b9c946e859490fbb7289528790e5ec3e5200

Download Submit
\ProgramData\e260\wwlib.dll

Filesize
91KB

MD5
696d87e338df44822b76dbb6207879b8

SHA1
c1142ca38f4185d315315ef3797f10da6bda9c8a

SHA256
f33daae3633ce2d1870bcf5a96c331576c88f6f4ba5b27ddc4d613749c9330bd

SHA512
bb4bb8ca6945a3a828ac7ad905c80eb22523a42fba38565f9df14266abda844d180257bc218c98ff17c14a12c198b9c946e859490fbb7289528790e5ec3e5200

Download Submit
memory/2656-58-0x000000002F8A0000-0x000000002F906000-memory.dmp

Filesize
408KB

Download
memory/2656-59-0x0000000000100000-0x0000000000126000-memory.dmp

Filesize
152KB

Download
memory/2656-60-0x000000002F8A0000-0x000000002F906000-memory.dmp

Filesize
408KB

Download
memory/2656-61-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads