chinese_generic_botnet | 98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Size

4.1MB
MD5

38ba300995f10a2fc95bdf4428ca6405
SHA1

2a03a9350c7ec86b66ea48042a7e61c88a3db7eb
SHA256

98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c
SHA512

7c08878434aa53ae269e5a4e98111e5f2e4f477e9d1ae719df3ca13f32f64aa3b3ccadbad008282309d116452e5e4b39018d4e5802daf26e5d50cc1083a97de2
SSDEEP

49152:d9utIMHSlVNEPS5B8riKy3hEPLna+NiW56wCpVHJNt/Mn+s8KuqGaX0ToIBAUZL1:7jMS5+riKyePLVNP6THJvJBAUZLjh

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/1068-4-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
1068	shibie.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inkfbls.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shibie.exe"	shibie.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	shibie.exe
File opened (read-only)	\??\R:	shibie.exe
File opened (read-only)	\??\W:	shibie.exe
File opened (read-only)	\??\H:	shibie.exe
File opened (read-only)	\??\L:	shibie.exe
File opened (read-only)	\??\Q:	shibie.exe
File opened (read-only)	\??\T:	shibie.exe
File opened (read-only)	\??\V:	shibie.exe
File opened (read-only)	\??\X:	shibie.exe
File opened (read-only)	\??\Y:	shibie.exe
File opened (read-only)	\??\E:	shibie.exe
File opened (read-only)	\??\P:	shibie.exe
File opened (read-only)	\??\N:	shibie.exe
File opened (read-only)	\??\Z:	shibie.exe
File opened (read-only)	\??\I:	shibie.exe
File opened (read-only)	\??\M:	shibie.exe
File opened (read-only)	\??\J:	shibie.exe
File opened (read-only)	\??\K:	shibie.exe
File opened (read-only)	\??\S:	shibie.exe
File opened (read-only)	\??\U:	shibie.exe
File opened (read-only)	\??\B:	shibie.exe
File opened (read-only)	\??\G:	shibie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	shibie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	shibie.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
1068	shibie.exe
1068	shibie.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: 33	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
Token: SeIncBasePriorityPrivilege	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
1068	shibie.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 1068	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe	85
PID 2720 wrote to memory of 1068	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe	85
PID 2720 wrote to memory of 1068	2720	98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe	85

C:\Users\Admin\AppData\Local\Temp\98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe
"C:\Users\Admin\AppData\Local\Temp\98b80e7fed4b3492ca1fb4e44fc8b239739e66679a92e27d9a37a1968b9d1c4c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\shibie.exe
  C:\Users\Admin\AppData\Local\Temp\\shibie.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\shibie.exe

Filesize
1.0MB

MD5
cd59e1fba80e9b5314be38df0da8a797

SHA1
e3a01d14112e33a847ff691dcb55b9e20af7641e

SHA256
6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

SHA512
ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\shibie.exe

Filesize
1.0MB

MD5
cd59e1fba80e9b5314be38df0da8a797

SHA1
e3a01d14112e33a847ff691dcb55b9e20af7641e

SHA256
6d6b8c45b17fe29eceba63abd9cd9368bfc763aca583d4023f0c97a25853d0bf

SHA512
ea293cf0137c44bf40b07467e2d64e9dc5f63b6bfc9097df7d1c556186ea14207afbd1b922c9901da7a04303f77cac5e5871c5f1e3e23410f7f602169157e7fe

Download Submit
memory/1068-4-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download