Overview

overview

10

Static

static

3

98b80e7fed...4c.exe

windows7-x64

10

98b80e7fed...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2023 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe

  • Size

    4.1MB

  • MD5

    38ba300995f10a2fc95bdf4428ca6405

  • SHA1

    2a03a9350c7ec86b66ea48042a7e61c88a3db7eb

  • SHA256

    98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c

  • SHA512

    7c08878434aa53ae269e5a4e98111e5f2e4f477e9d1ae719df3ca13f32f64aa3b3ccadbad008282309d116452e5e4b39018d4e5802daf26e5d50cc1083a97de2

  • SSDEEP

    49152:d9utIMHSlVNEPS5B8riKy3hEPLna+NiW56wCpVHJNt/Mn+s8KuqGaX0ToIBAUZL1:7jMS5+riKyePLVNP6THJvJBAUZLjh

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 1 IoCs
    botnet
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
    "C:\Users\Admin\AppData\Local\Temp\98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\shibie.exe
      C:\Users\Admin\AppData\Local\Temp\\shibie.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2256
  • C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe
    "C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe
      "C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • C:\Program Files (x86)\Microsoft Kwmcwq\Inkfbls.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\shibie.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\shibie.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\shibie.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\shibie.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\shibie.exe
    Filesize

    1.0MB

    MD5

    cd59e1fba80e9b5314be38df0da8a797

    SHA1

    e3a01d14112e33a847ff691dcb55b9e20af7641e

    SHA256

    6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

    SHA512

    ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

    Download Submit

  • memory/2256-8-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download