Analysis

  • max time kernel
    200s
  • max time network
    218s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2023 23:30

General

  • Target

    55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe

  • Size

    5.0MB

  • MD5

    d99fa0f3bb1d5f7ec9ad59f65792dd7e

  • SHA1

    b32234f192f7ad7b6f47ede384e9f3141b3939ac

  • SHA256

    55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec

  • SHA512

    4c8fab96b3dd5cd2ae093b0faf87be4a2426025ed878298a1069e949a126bebb9eae4032d2ec9195fc4b2005dd2e089e8f4fc5d2c3195aa26891f10f89d8905f

  • SSDEEP

    98304:0PoTqKZPHbeiSTOFkTdNMrqgpysae0HCjZzwiP4/XPGCdi6bu:0JKJe5QkTdv6N0/X9dir

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

  • Chinese Botnet payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 62 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
    "C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      2⤵
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\~849862670122946174~\sg.tmp
        7zG_exe x "C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~4935789192976061137"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
      • C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\辅助.exe
        "C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\辅助.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\QProtect.exe
          C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\QProtect.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\QProtect.exe

      Filesize

      2.8MB

      MD5

      33edfe756b6fe6f88e08a638c1848664

      SHA1

      9744638e75bea1f242dfaa5d6b254c8eb8052b1f

      SHA256

      7862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58

      SHA512

      67dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3

    • C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\QProtect.exe

      Filesize

      2.8MB

      MD5

      33edfe756b6fe6f88e08a638c1848664

      SHA1

      9744638e75bea1f242dfaa5d6b254c8eb8052b1f

      SHA256

      7862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58

      SHA512

      67dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3

    • C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\辅助.exe

      Filesize

      668KB

      MD5

      61d5400899bcb5ca8fef956a0130371e

      SHA1

      f0332f978a7308d26afa3701e1b35237133bbab0

      SHA256

      f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

      SHA512

      91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

    • C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\辅助.exe

      Filesize

      668KB

      MD5

      61d5400899bcb5ca8fef956a0130371e

      SHA1

      f0332f978a7308d26afa3701e1b35237133bbab0

      SHA256

      f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b

      SHA512

      91beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79

    • C:\Users\Admin\AppData\Local\Temp\~849862670122946174~\sg.tmp

      Filesize

      715KB

      MD5

      7c4718943bd3f66ebdb47ccca72c7b1e

      SHA1

      f9edfaa7adb8fa528b2e61b2b251f18da10a6969

      SHA256

      4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

      SHA512

      e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

    • memory/2372-30-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-28-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-43-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-37-0x0000000010000000-0x000000001001F000-memory.dmp

      Filesize

      124KB

    • memory/2372-35-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-34-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-32-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-31-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/2372-29-0x0000000000400000-0x00000000007E6000-memory.dmp

      Filesize

      3.9MB

    • memory/3848-21-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-2-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-1-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-3-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-0-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-4-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-6-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-19-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-5-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-36-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-9-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB

    • memory/3848-8-0x0000000000400000-0x0000000000664000-memory.dmp

      Filesize

      2.4MB