Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 15:42
Static task
static1
Behavioral task
behavioral1
Sample
加速器破解/BGX工具SST6.0.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
加速器破解/BGX工具SST6.0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
加速器破解/破解补丁.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral4
Sample
加速器破解/破解补丁.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
General
-
Target
加速器破解/破解补丁.exe
-
Size
1.7MB
-
MD5
3a740fd4be0cf91afb6b24578377831b
-
SHA1
13672b2c077adab7132243ad5668b790d97542a9
-
SHA256
098d2e56d29568e907b5df84ca8cd629fb5e24ec1f612b60133dda9063ce8aef
-
SHA512
b3d9821e2677d9a696548a65ea842b9bac2cec5b616f0162c53c83a1da9bf64beddfe4a46fcb901ba8490d9abe6d02e8cb88c57c8864a91981b27a6ae84de0ae
-
SSDEEP
12288:2G/0XYg0NtX46rHjOe7Sy5oFUEv6xgIsxITrLSRfWP5x0c:2G8XY5NF4sjP152Ua6dsxI8f05v
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
resource yara_rule behavioral4/memory/3772-4-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet -
Executes dropped EXE 1 IoCs
pid Process 3772 Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gouarlv.exe = "C:\\Windows\\SysWOW64\\Server.exe" Server.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Server.exe File opened (read-only) \??\M: Server.exe File opened (read-only) \??\P: Server.exe File opened (read-only) \??\T: Server.exe File opened (read-only) \??\X: Server.exe File opened (read-only) \??\U: Server.exe File opened (read-only) \??\Z: Server.exe File opened (read-only) \??\B: Server.exe File opened (read-only) \??\H: Server.exe File opened (read-only) \??\N: Server.exe File opened (read-only) \??\O: Server.exe File opened (read-only) \??\R: Server.exe File opened (read-only) \??\S: Server.exe File opened (read-only) \??\I: Server.exe File opened (read-only) \??\K: Server.exe File opened (read-only) \??\L: Server.exe File opened (read-only) \??\Q: Server.exe File opened (read-only) \??\V: Server.exe File opened (read-only) \??\E: Server.exe File opened (read-only) \??\G: Server.exe File opened (read-only) \??\W: Server.exe File opened (read-only) \??\Y: Server.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Server.exe 破解补丁.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Server.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe 3152 破解补丁.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3152 破解补丁.exe 3152 破解补丁.exe 3772 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3152 wrote to memory of 3772 3152 破解补丁.exe 87 PID 3152 wrote to memory of 3772 3152 破解补丁.exe 87 PID 3152 wrote to memory of 3772 3152 破解补丁.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\加速器破解\破解补丁.exe"C:\Users\Admin\AppData\Local\Temp\加速器破解\破解补丁.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Server.exeC:\Windows\system32\\Server.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437