Analysis
-
max time kernel
200s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2023 23:30
Static task
static1
Behavioral task
behavioral1
Sample
55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
Resource
win10v2004-20231020-en
General
-
Target
55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe
-
Size
5.0MB
-
MD5
d99fa0f3bb1d5f7ec9ad59f65792dd7e
-
SHA1
b32234f192f7ad7b6f47ede384e9f3141b3939ac
-
SHA256
55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec
-
SHA512
4c8fab96b3dd5cd2ae093b0faf87be4a2426025ed878298a1069e949a126bebb9eae4032d2ec9195fc4b2005dd2e089e8f4fc5d2c3195aa26891f10f89d8905f
-
SSDEEP
98304:0PoTqKZPHbeiSTOFkTdNMrqgpysae0HCjZzwiP4/XPGCdi6bu:0JKJe5QkTdv6N0/X9dir
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
resource yara_rule behavioral2/memory/2372-37-0x0000000010000000-0x000000001001F000-memory.dmp unk_chinese_botnet behavioral2/memory/2372-43-0x0000000000400000-0x00000000007E6000-memory.dmp unk_chinese_botnet -
Executes dropped EXE 3 IoCs
pid Process 4980 sg.tmp 1396 辅助.exe 2372 QProtect.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QProtect = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~4935789192976061137\\QProtect.exe" 辅助.exe Set value (str) \REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Terms.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~4935789192976061137\\QProtect.exe" QProtect.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 62 IoCs
pid Process 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 2372 QProtect.exe 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2372 QProtect.exe 2372 QProtect.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeBackupPrivilege 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: SeRestorePrivilege 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: 33 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: SeIncBasePriorityPrivilege 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: 33 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: SeIncBasePriorityPrivilege 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: 33 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: SeIncBasePriorityPrivilege 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: SeRestorePrivilege 4980 sg.tmp Token: 35 4980 sg.tmp Token: SeSecurityPrivilege 4980 sg.tmp Token: SeSecurityPrivilege 4980 sg.tmp Token: 33 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe Token: SeIncBasePriorityPrivilege 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1396 辅助.exe 1396 辅助.exe 2372 QProtect.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2808 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 86 PID 3848 wrote to memory of 2808 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 86 PID 3848 wrote to memory of 4980 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 88 PID 3848 wrote to memory of 4980 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 88 PID 3848 wrote to memory of 4980 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 88 PID 3848 wrote to memory of 1396 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 90 PID 3848 wrote to memory of 1396 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 90 PID 3848 wrote to memory of 1396 3848 55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe 90 PID 1396 wrote to memory of 2372 1396 辅助.exe 91 PID 1396 wrote to memory of 2372 1396 辅助.exe 91 PID 1396 wrote to memory of 2372 1396 辅助.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe"C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c set2⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\~849862670122946174~\sg.tmp7zG_exe x "C:\Users\Admin\AppData\Local\Temp\55ef42f1d1a2923d4041e90d8f9e4236b0f0bd12b02d4fa64dac3a84a836eeec.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~4935789192976061137"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\辅助.exe"C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\辅助.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\~4935789192976061137\QProtect.exeC:\Users\Admin\AppData\Local\Temp\~4935789192976061137\QProtect.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD533edfe756b6fe6f88e08a638c1848664
SHA19744638e75bea1f242dfaa5d6b254c8eb8052b1f
SHA2567862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58
SHA51267dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3
-
Filesize
2.8MB
MD533edfe756b6fe6f88e08a638c1848664
SHA19744638e75bea1f242dfaa5d6b254c8eb8052b1f
SHA2567862d5f683b0e384b041ef1938e4b43ad4469f12f2416548afdbc6530cc99e58
SHA51267dc943a145d21f72a26aa9cdf19dbbc7e489d3a89523da9271d58badbcfef8769d1e0abdb7eef6be45b7dc76fde9a744e6bf6c483d0364666797ecb65c372e3
-
Filesize
668KB
MD561d5400899bcb5ca8fef956a0130371e
SHA1f0332f978a7308d26afa3701e1b35237133bbab0
SHA256f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b
SHA51291beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79
-
Filesize
668KB
MD561d5400899bcb5ca8fef956a0130371e
SHA1f0332f978a7308d26afa3701e1b35237133bbab0
SHA256f025d093d446ed213ce12965a6d95bc721611bb6654e72a6313fafa03643223b
SHA51291beb574fa3c5b9f5c3387aff7913bc166713f91be93f79a3179c846b17822106e15487fd3d55016a7f9378f805cd2f806950687889e14d6ba56764ab0919b79
-
Filesize
715KB
MD57c4718943bd3f66ebdb47ccca72c7b1e
SHA1f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA2564cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516