chinese_generic_botnet | e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f

General

Target

e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe
Size

636KB
MD5

97d7cd02edcf10c9080bd2284a46fc1b
SHA1

e179694627f7a194e492461ed58fa875e0b2f127
SHA256

e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f
SHA512

b272f7abde944e24695f33ec141deb35e3e6c641151d70f76234f218794be4d15817f9baa537051b22613f188116960e533c3f4d5b9e489ba98f1e34d5fd03d9
SSDEEP

6144:ZWMjNEqWNAML6edtpVYSDvEocoBMPAC6aRMJHaCVJw+0:Zvuq2RL3ddLEc9C6aOJ6t

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2064-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
2512	Java Protection Program.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Java Protection Program.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java Protection Program.exe	e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe
File opened for modification	C:\Program Files (x86)\Java Protection Program.exe	e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41610D22-9104-4A5B-8D62-4DEE6F1CE60B}\92-5b-3f-a3-10-23	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-5b-3f-a3-10-23\WpadDecision = "0"	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-5b-3f-a3-10-23\WpadDecisionReason = "1"	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Java Protection Program.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Java Protection Program.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Java Protection Program.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ab000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41610D22-9104-4A5B-8D62-4DEE6F1CE60B}	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41610D22-9104-4A5B-8D62-4DEE6F1CE60B}\WpadDecisionReason = "1"	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41610D22-9104-4A5B-8D62-4DEE6F1CE60B}\WpadDecision = "0"	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Java Protection Program.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41610D22-9104-4A5B-8D62-4DEE6F1CE60B}\WpadNetworkName = "Network 2"	Java Protection Program.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-5b-3f-a3-10-23	Java Protection Program.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Java Protection Program.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Java Protection Program.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Java Protection Program.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41610D22-9104-4A5B-8D62-4DEE6F1CE60B}\WpadDecisionTime = 8025904d1ff5d901	Java Protection Program.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-5b-3f-a3-10-23\WpadDecisionTime = 8025904d1ff5d901	Java Protection Program.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2064	e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe
2512	Java Protection Program.exe

C:\Users\Admin\AppData\Local\Temp\e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe
"C:\Users\Admin\AppData\Local\Temp\e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Program Files (x86)\Java Protection Program.exe
"C:\Program Files (x86)\Java Protection Program.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java Protection Program.exe

Filesize
636KB

MD5
97d7cd02edcf10c9080bd2284a46fc1b

SHA1
e179694627f7a194e492461ed58fa875e0b2f127

SHA256
e4f58ce9777bdc2aede3ec7e2d03540417a9e145929aa94d042e5ec4e441c19f

SHA512
b272f7abde944e24695f33ec141deb35e3e6c641151d70f76234f218794be4d15817f9baa537051b22613f188116960e533c3f4d5b9e489ba98f1e34d5fd03d9

Download Submit
memory/2064-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing