Overview

overview

10

Static

static

3

NEAS.108fd...40.exe

windows7-x64

10

NEAS.108fd...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2023 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.108fde1527d48fabd718d3b25d58ce40.exe

  • Size

    1.8MB

  • MD5

    108fde1527d48fabd718d3b25d58ce40

  • SHA1

    fdd49fafb3fc40b700204f60d754143468762f4d

  • SHA256

    b4d51b0354e7508d723396fa6affd92b5108fa3cd27ecd4c86001a5ffb999cb8

  • SHA512

    140a12f14e3733a4a2989dccf645033e628684bcd4c56e63c7d2d22ed2893ce71e986e6c1ef04fde121125dbed128d48245d121980ac0bceb2fe7fdc809e6e04

  • SSDEEP

    12288:uvTIiUxmYh90jjAblb1yHy8ZV0Lug6BtPtzFS30pS6zxgIsxITrLpyPYCSXh1M2p:ubIiCm898jGyS8RY3VSdsxIPL1/xUU

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 1 IoCs
    botnet
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.108fde1527d48fabd718d3b25d58ce40.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.108fde1527d48fabd718d3b25d58ce40.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\Server.exe
      C:\Windows\system32\\Server.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1056
  • C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe
    "C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe
      "C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • C:\Program Files (x86)\Microsoft Yeqcqk\Rotzeac.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • C:\Windows\SysWOW64\Server.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • C:\Windows\SysWOW64\Server.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • C:\Windows\SysWOW64\Server.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • \Windows\SysWOW64\Server.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • \Windows\SysWOW64\Server.exe
    Filesize

    1.0MB

    MD5

    b1b90cec4501087e97426d83c01bbd1f

    SHA1

    444dae63f2a182366fb40060bd91f174dd33424b

    SHA256

    6d42ce925574750c88aff2d8e3b4cb0d500ef23d520706f82ed913eba9c466fe

    SHA512

    806f1956cb05db1ab8f2d35223c961919cc5d7ce4d63aef1dad1f9d51927b3a7e6022b1df52c6f8bcbf595d3df0134ce6101f3b557c716934ad0f91dafcece81

    Download Submit

  • memory/1056-8-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download