Overview

overview

10

Static

static

3

a2d0dd1cb8...c5.exe

windows7-x64

10

a2d0dd1cb8...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2023 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2d0dd1cb89611c7e979d65a73d51a573de55fb14f1130f28196618a828932c5.exe

  • Size

    1.8MB

  • MD5

    d2f35a6f207bc1d197a8f43c2d31d8ff

  • SHA1

    4645a201aeaa2e3ebed2681908d7a459ec72d8b0

  • SHA256

    a2d0dd1cb89611c7e979d65a73d51a573de55fb14f1130f28196618a828932c5

  • SHA512

    6a648b3cda34f6e62505828456b8f74a9073b40aebfa2965ae7fe36717969a8444ea4c94a9c4ec498a655be6d41d0bb2c2bbcf9a246813fe3f995de4d6775ffd

  • SSDEEP

    24576:XqgLbQGiEwAUnxA7H0slfGJpmd4qEvLtbQgxaO/VXuLOpfdIuA0Fre2M6QJ:XrbRwDC7AmsvnVXdQuA/7R

Score
10/10
chinese_generic_botnetbotnetevasiontrojan

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Chinese Botnet payload 2 IoCs
    botnet
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2d0dd1cb89611c7e979d65a73d51a573de55fb14f1130f28196618a828932c5.exe
    "C:\Users\Admin\AppData\Local\Temp\a2d0dd1cb89611c7e979d65a73d51a573de55fb14f1130f28196618a828932c5.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Windows security modification
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2120
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a2d0dd1cb89611c7e979d65a73d51a573de55fb14f1130f28196618a828932c5.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2664
  • C:\Program Files (x86)\Hblvhrj.exe
    "C:\Program Files (x86)\Hblvhrj.exe"
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Hblvhrj.exe
    Filesize

    45KB

    MD5

    f1feead2143c07ca411d82a29fa964af

    SHA1

    2198e7bf402773757bb2a25311ffd2644e5a1645

    SHA256

    8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

    SHA512

    e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

    Download Submit

  • C:\Program Files (x86)\Hblvhrj.exe
    Filesize

    45KB

    MD5

    f1feead2143c07ca411d82a29fa964af

    SHA1

    2198e7bf402773757bb2a25311ffd2644e5a1645

    SHA256

    8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

    SHA512

    e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

    Download Submit

  • memory/1160-32-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1160-27-0x0000000001110000-0x000000000111E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1160-29-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1160-31-0x000000007EF40000-0x000000007EF50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2120-3-0x0000000004F30000-0x00000000050BC000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2120-0-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2120-34-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2120-4-0x00000000006E0000-0x00000000006FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2120-19-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2120-2-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2120-1-0x0000000000A30000-0x0000000000BFA000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2120-18-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2664-7-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2664-23-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2664-11-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2664-8-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2664-5-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2896-24-0x000000006ECF0000-0x000000006F29B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-17-0x00000000024F0000-0x0000000002530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2896-16-0x00000000024F0000-0x0000000002530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2896-28-0x000000006ECF0000-0x000000006F29B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-15-0x000000006ECF0000-0x000000006F29B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-14-0x000000006ECF0000-0x000000006F29B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-30-0x00000000024F0000-0x0000000002530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2896-33-0x000000006ECF0000-0x000000006F29B000-memory.dmp

    Filesize

    5.7MB

    Download