Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2023 15:42

General

  • Target

    加速器破解/破解补丁.exe

  • Size

    1.7MB

  • MD5

    3a740fd4be0cf91afb6b24578377831b

  • SHA1

    13672b2c077adab7132243ad5668b790d97542a9

  • SHA256

    098d2e56d29568e907b5df84ca8cd629fb5e24ec1f612b60133dda9063ce8aef

  • SHA512

    b3d9821e2677d9a696548a65ea842b9bac2cec5b616f0162c53c83a1da9bf64beddfe4a46fcb901ba8490d9abe6d02e8cb88c57c8864a91981b27a6ae84de0ae

  • SSDEEP

    12288:2G/0XYg0NtX46rHjOe7Sy5oFUEv6xgIsxITrLSRfWP5x0c:2G8XY5NF4sjP152Ua6dsxI8f05v

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

  • Chinese Botnet payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\加速器破解\破解补丁.exe
    "C:\Users\Admin\AppData\Local\Temp\加速器破解\破解补丁.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\Server.exe
      C:\Windows\system32\\Server.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:2144
  • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe
    "C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe

    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

  • C:\Windows\SysWOW64\Server.exe

    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

  • C:\Windows\SysWOW64\Server.exe

    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

  • C:\Windows\SysWOW64\Server.exe

    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

  • \Windows\SysWOW64\Server.exe

    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

  • \Windows\SysWOW64\Server.exe

    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

  • memory/2144-8-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB