chinese_generic_botnet | 755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e

General

Target

755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe
Size

2.7MB
MD5

d6364b4a7155dceb57075a6269b0e2e3
SHA1

05553d7e2b28199d2c69c79de9e615307a3c68e4
SHA256

755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e
SHA512

2b280f4cdac9872b3ba142e30237e5274b80d82dea6ec93f5927c193a5eb166d4f4b5665bc525ecec3acb216d81897b7a6abcd0bc912a1d4938293476d6e820f
SSDEEP

24576:chRb0i6yW2ekPl03eaYdsxIxZknqinYaFh678uL1cjioszjaD8LCJeM9G37Xvf:cHoL2e9urKyxyqS6Bcj6iVJVKf

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/2208-4-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
2208	svchost.exe
3712	Q°ó²éÑ¯.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cwgatmx.exe = "C:\\Windows\\svchost.exe"	svchost.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe
File created	C:\Windows\Q°ó²éÑ¯.exe	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2208	svchost.exe
2208	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe
2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe
2208	svchost.exe
3712	Q°ó²éÑ¯.exe
3712	Q°ó²éÑ¯.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2208	2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe	88
PID 2968 wrote to memory of 2208	2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe	88
PID 2968 wrote to memory of 2208	2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe	88
PID 2968 wrote to memory of 3712	2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe	89
PID 2968 wrote to memory of 3712	2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe	89
PID 2968 wrote to memory of 3712	2968	755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe	89

C:\Users\Admin\AppData\Local\Temp\755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe
"C:\Users\Admin\AppData\Local\Temp\755ca0a783514a0b3c4f0b11390e56946934fc72bca8a42bc3f9f48ba8d7b52e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\svchost.exe
  C:\Windows\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Windows\Q°ó²éÑ¯.exe
  C:\Windows\\Q°ó²éÑ¯.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Q°ó²éÑ¯.exe

Filesize
1.1MB

MD5
1cc84bbe1f55896062505ec3fa9baef0

SHA1
db42dbd174297b24ae80ed55b5a0691fb009930a

SHA256
c941f71def1ee067f809131c181a82c02c7660e6794b47792530bb2f91a2206a

SHA512
fbd97be82815f71b51b0a3d94e19ddbb78bad81f7ec1f10ddb9fe2abba6a925f7229141c5ac061c3c6a421056f5a5b8f10e5c2cddac2a29367c312efb5d1188d

Download Submit
C:\Windows\Q°ó²éÑ¯.exe

Filesize
1.1MB

MD5
1cc84bbe1f55896062505ec3fa9baef0

SHA1
db42dbd174297b24ae80ed55b5a0691fb009930a

SHA256
c941f71def1ee067f809131c181a82c02c7660e6794b47792530bb2f91a2206a

SHA512
fbd97be82815f71b51b0a3d94e19ddbb78bad81f7ec1f10ddb9fe2abba6a925f7229141c5ac061c3c6a421056f5a5b8f10e5c2cddac2a29367c312efb5d1188d

Download Submit
C:\Windows\svchost.exe

Filesize
1.0MB

MD5
73349ed24f69e51ed4e2fde785962152

SHA1
84ae9257a9aa06aa222bc46cf8fd56f93b8d1631

SHA256
b6a7688e126a36caed944a58bd2be541f4f04a155ea49992eb5aaf45c3752f50

SHA512
c0c6c1d2213be36430a4d84e795edea7c18b782a6e2d7dfaf2995e7a84f0816876b44b4cc87b2128a337db45221b7bfc511bf25c1153e4fe8e0cf21210c8a8cd

Download Submit
C:\Windows\svchost.exe

Filesize
1.0MB

MD5
73349ed24f69e51ed4e2fde785962152

SHA1
84ae9257a9aa06aa222bc46cf8fd56f93b8d1631

SHA256
b6a7688e126a36caed944a58bd2be541f4f04a155ea49992eb5aaf45c3752f50

SHA512
c0c6c1d2213be36430a4d84e795edea7c18b782a6e2d7dfaf2995e7a84f0816876b44b4cc87b2128a337db45221b7bfc511bf25c1153e4fe8e0cf21210c8a8cd

Download Submit
memory/2208-4-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3712-11-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads