chinese_generic_botnet | 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec

Analysis

max time kernel
170s
max time network
186s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Size

5.0MB
MD5

d99fa0f3bb1d5f7ec9ad59f65792dd7e
SHA1

b32234f192f7ad7b6f47ede384e9f3141b3939ac
SHA256

55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec
SHA512

4c8fab96b3dd5cd2ae093b0faf87be4a2426025ed878298a1069e949a126bebb9eae4032d2ec9195fc4b2005dd2e089e8f4fc5d2c3195aa26891f10f89d8905f
SSDEEP

98304:0PoTqKZPHbeiSTOFkTdNMrqgpysae0HCjZzwiP4/XPGCdi6bu:0JKJe5QkTdv6N0/X9dir

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/2616-37-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet
behavioral1/memory/2616-43-0x0000000000400000-0x00000000007E6000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

pid	Process
2884	sg.tmp
2388	辅助.exe
2616	QProtect.exe

Loads dropped DLL 4 IoCs

pid	Process
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2388	辅助.exe
2388	辅助.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QProtect = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~8738147205635585037\\QProtect.exe"	辅助.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Terms.exe"	QProtect.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
2616	QProtect.exe
2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Terms.exe	QProtect.exe
File opened for modification	C:\Windows\Terms.exe	QProtect.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2616	QProtect.exe
2616	QProtect.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: SeRestorePrivilege	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: 33	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: SeIncBasePriorityPrivilege	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: 33	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: SeIncBasePriorityPrivilege	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: 33	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: SeIncBasePriorityPrivilege	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: SeRestorePrivilege	2884	sg.tmp
Token: 35	2884	sg.tmp
Token: SeSecurityPrivilege	2884	sg.tmp
Token: SeSecurityPrivilege	2884	sg.tmp
Token: 33	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Token: SeIncBasePriorityPrivilege	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2388	辅助.exe
2388	辅助.exe
2616	QProtect.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2788	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	27
PID 2772 wrote to memory of 2788	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	27
PID 2772 wrote to memory of 2788	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	27
PID 2772 wrote to memory of 2788	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	27
PID 2772 wrote to memory of 2884	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	29
PID 2772 wrote to memory of 2884	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	29
PID 2772 wrote to memory of 2884	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	29
PID 2772 wrote to memory of 2884	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	29
PID 2772 wrote to memory of 2388	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	31
PID 2772 wrote to memory of 2388	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	31
PID 2772 wrote to memory of 2388	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	31
PID 2772 wrote to memory of 2388	2772	55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe	31
PID 2388 wrote to memory of 2616	2388	辅助.exe	32
PID 2388 wrote to memory of 2616	2388	辅助.exe	32
PID 2388 wrote to memory of 2616	2388	辅助.exe	32
PID 2388 wrote to memory of 2616	2388	辅助.exe	32

C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
"C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\~8894275380488833654~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~8738147205635585037"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\辅助.exe
  "C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\辅助.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\QProtect.exe
    C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\QProtect.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\QProtect.exe

Filesize
2.8MB

MD5
33edfe756b6fe6f88e08a638c1848664

SHA1
9744638e75bea1f242dfaa5d6b254c8eb8052b1f

SHA256
7862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58

SHA512
67dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\QProtect.exe

Filesize
2.8MB

MD5
33edfe756b6fe6f88e08a638c1848664

SHA1
9744638e75bea1f242dfaa5d6b254c8eb8052b1f

SHA256
7862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58

SHA512
67dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\辅助.exe

Filesize
668KB

MD5
61d5400899bcb5ca8fef956a0130371e

SHA1
f0332f978a7308d26afa3701e1b35237133bbab0

SHA256
f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

SHA512
91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8738147205635585037\辅助.exe

Filesize
668KB

MD5
61d5400899bcb5ca8fef956a0130371e

SHA1
f0332f978a7308d26afa3701e1b35237133bbab0

SHA256
f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

SHA512
91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8894275380488833654~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~8738147205635585037\QProtect.exe

Filesize
2.8MB

MD5
33edfe756b6fe6f88e08a638c1848664

SHA1
9744638e75bea1f242dfaa5d6b254c8eb8052b1f

SHA256
7862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58

SHA512
67dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3

Download Submit
\Users\Admin\AppData\Local\Temp\~8738147205635585037\QProtect.exe

Filesize
2.8MB

MD5
33edfe756b6fe6f88e08a638c1848664

SHA1
9744638e75bea1f242dfaa5d6b254c8eb8052b1f

SHA256
7862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58

SHA512
67dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3

Download Submit
\Users\Admin\AppData\Local\Temp\~8738147205635585037\辅助.exe

Filesize
668KB

MD5
61d5400899bcb5ca8fef956a0130371e

SHA1
f0332f978a7308d26afa3701e1b35237133bbab0

SHA256
f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

SHA512
91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

Download Submit
\Users\Admin\AppData\Local\Temp\~8894275380488833654~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2388-26-0x0000000002130000-0x0000000002516000-memory.dmp

Filesize
3.9MB

Download
memory/2388-28-0x0000000002130000-0x0000000002516000-memory.dmp

Filesize
3.9MB

Download
memory/2388-59-0x0000000002130000-0x0000000002516000-memory.dmp

Filesize
3.9MB

Download
memory/2616-35-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-33-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-43-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-37-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2616-36-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-29-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-30-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-31-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2616-32-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/2772-3-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2772-5-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2772-2-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2772-1-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2772-42-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2772-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2772-4-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download