chinese_generic_botnet | ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4

Analysis

max time kernel
122s
max time network
141s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
Size

500KB
MD5

874e3a6e8fe2a608df7582000f03539b
SHA1

f4ee78934e8ede611046dc3a1c553d3b76dab7f8
SHA256

ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4
SHA512

26a80313929bcd4286ba9c9a5a4b3d645e3389630bf7657123f27d4f2c6de05efaae5d27bb0bfb45451850bed49700fa77454a10bee3f7eacbcc20b2b82f1c33
SSDEEP

3072:d5OsiQ79xzUcbK9LK/fzuaCrutJUy6yQ9ie6kgR2voGXQ9jf4o7Qr7y1P+g:L7hoBO/fzxb26kR8fPkny12

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2316-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\O:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\Q:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\Y:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\G:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\J:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\I:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\S:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\T:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\W:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\Z:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\B:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\H:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\V:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\X:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\E:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\L:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\P:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\R:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\U:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\K:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
File opened (read-only)	\??\M:	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2316	ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe

C:\Users\Admin\AppData\Local\Temp\ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe
"C:\Users\Admin\AppData\Local\Temp\ae176bef894bea7ba45b12036f2c015b360c3d3abb85150ce6e9448154ff13f4.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download