chinese_generic_botnet | d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 03:59

Target

d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe
Size

362KB
MD5

889e8cb9d9ce4c1fccebc63295ba87f9
SHA1

1117bfd11abae12ed862fc2473ebe101efea8969
SHA256

d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2
SHA512

482643e2ff84a13d6af1e785a5bc48af5c9fd9673d45bddd9495a6a753680d9212ea8dd057438ee2cd943a204bf4b7b1c075e7f60e93bea1e5603bbc87e59e69
SSDEEP

3072:N8jSZi34eTzl51RlVl4bbZlVzWAX6bN56wG14gD:quZ5e8DVzWs6X6wG14gD

Score

10^/10

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/4672-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4672	d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe
4672	d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2768	4672	d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe	84
PID 4672 wrote to memory of 2768	4672	d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe	84
PID 4672 wrote to memory of 2768	4672	d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe	84

C:\Users\Admin\AppData\Local\Temp\d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe
"C:\Users\Admin\AppData\Local\Temp\d5e9a10d67a911ff38eac8eac1b5693bd4225a61773604dba18d4cd6f0d616c2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:2768

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/4672-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download