Overview

overview

10

Static

static

3

8688fbe0d8...10.exe

windows7-x64

10

8688fbe0d8...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8688fbe0d85a42a96cc8a337e882ab267fe450e847351b6866e08ecd1bfe3110.exe

  • Size

    4.1MB

  • MD5

    c862a8af9c31b5be4a50b17282630eaf

  • SHA1

    d8653926e68fa30b3a7bfa382dc337f557d5c709

  • SHA256

    8688fbe0d85a42a96cc8a337e882ab267fe450e847351b6866e08ecd1bfe3110

  • SHA512

    70b4afb66f53c34ef364cbb2d109c33a993706a12603b3536e004081b6d4d0361f81a96e0a151e7f9fc970004e4c3c407f7e7475e4fc74a86fb2d71672debd9a

  • SSDEEP

    49152:9QWqHcFt4tQGgKbDLKykKy5RyeEJzrlrx:9QWWcFt4t5gKbDLKykKy5QVJzJrx

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 2 IoCs
    botnet
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8688fbe0d85a42a96cc8a337e882ab267fe450e847351b6866e08ecd1bfe3110.exe
    "C:\Users\Admin\AppData\Local\Temp\8688fbe0d85a42a96cc8a337e882ab267fe450e847351b6866e08ecd1bfe3110.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\svchost.exe
      C:\Windows\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1348
    • C:\Windows\js.exe
      C:\Windows\\js.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\svichost.exe
        C:\Windows\System32\svichost.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        PID:2584
  • C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe
    "C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe
      "C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2548
  • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe
    "C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe
      "C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe
    Filesize

    1.0MB

    MD5

    98664a6bca78eab5cddd244e6762bae6

    SHA1

    81013aa881b4e45a76739a088d81ba4def2eed8d

    SHA256

    0acb639b41b26eea6d94fa0334b056bb8c6037c84ae15b3678356cf6697ef116

    SHA512

    8773e3da356b4dd6c464b8d4c38a43f425e89e1ba2968c92a9b9ac6650441d895419b16061b99c66fa89643760d6d4e898498fd4e69116c915f8831e1193bae8

    Download Submit

  • C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe
    Filesize

    1.0MB

    MD5

    98664a6bca78eab5cddd244e6762bae6

    SHA1

    81013aa881b4e45a76739a088d81ba4def2eed8d

    SHA256

    0acb639b41b26eea6d94fa0334b056bb8c6037c84ae15b3678356cf6697ef116

    SHA512

    8773e3da356b4dd6c464b8d4c38a43f425e89e1ba2968c92a9b9ac6650441d895419b16061b99c66fa89643760d6d4e898498fd4e69116c915f8831e1193bae8

    Download Submit

  • C:\Program Files (x86)\Microsoft Qiaaoy\Qgymwes.exe
    Filesize

    1.0MB

    MD5

    98664a6bca78eab5cddd244e6762bae6

    SHA1

    81013aa881b4e45a76739a088d81ba4def2eed8d

    SHA256

    0acb639b41b26eea6d94fa0334b056bb8c6037c84ae15b3678356cf6697ef116

    SHA512

    8773e3da356b4dd6c464b8d4c38a43f425e89e1ba2968c92a9b9ac6650441d895419b16061b99c66fa89643760d6d4e898498fd4e69116c915f8831e1193bae8

    Download Submit

  • C:\Windows\SysWOW64\svichost.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • C:\Windows\SysWOW64\svichost.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • C:\Windows\js.exe
    Filesize

    1.8MB

    MD5

    448a820e0d6b1125b7917fd16e87d905

    SHA1

    413c6f4a342772812ef2d27b550669b2ec0aefff

    SHA256

    0240fd72362dd0be296618dc46dd8c1ce2f3f5cd4132556454cf88f6e3393e36

    SHA512

    c73a4c53e723d971dc9beb0aa1816d68a86e61cb4b6925ad8d6fdc29b370a02b9b1b81a99590f29cdc2c02cdbd78ae4ccbca7d09db2c7b7d0cddb2f0946f937e

    Download Submit

  • C:\Windows\js.exe
    Filesize

    1.8MB

    MD5

    448a820e0d6b1125b7917fd16e87d905

    SHA1

    413c6f4a342772812ef2d27b550669b2ec0aefff

    SHA256

    0240fd72362dd0be296618dc46dd8c1ce2f3f5cd4132556454cf88f6e3393e36

    SHA512

    c73a4c53e723d971dc9beb0aa1816d68a86e61cb4b6925ad8d6fdc29b370a02b9b1b81a99590f29cdc2c02cdbd78ae4ccbca7d09db2c7b7d0cddb2f0946f937e

    Download Submit

  • C:\Windows\js.exe
    Filesize

    1.8MB

    MD5

    448a820e0d6b1125b7917fd16e87d905

    SHA1

    413c6f4a342772812ef2d27b550669b2ec0aefff

    SHA256

    0240fd72362dd0be296618dc46dd8c1ce2f3f5cd4132556454cf88f6e3393e36

    SHA512

    c73a4c53e723d971dc9beb0aa1816d68a86e61cb4b6925ad8d6fdc29b370a02b9b1b81a99590f29cdc2c02cdbd78ae4ccbca7d09db2c7b7d0cddb2f0946f937e

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    1.0MB

    MD5

    98664a6bca78eab5cddd244e6762bae6

    SHA1

    81013aa881b4e45a76739a088d81ba4def2eed8d

    SHA256

    0acb639b41b26eea6d94fa0334b056bb8c6037c84ae15b3678356cf6697ef116

    SHA512

    8773e3da356b4dd6c464b8d4c38a43f425e89e1ba2968c92a9b9ac6650441d895419b16061b99c66fa89643760d6d4e898498fd4e69116c915f8831e1193bae8

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    1.0MB

    MD5

    98664a6bca78eab5cddd244e6762bae6

    SHA1

    81013aa881b4e45a76739a088d81ba4def2eed8d

    SHA256

    0acb639b41b26eea6d94fa0334b056bb8c6037c84ae15b3678356cf6697ef116

    SHA512

    8773e3da356b4dd6c464b8d4c38a43f425e89e1ba2968c92a9b9ac6650441d895419b16061b99c66fa89643760d6d4e898498fd4e69116c915f8831e1193bae8

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    1.0MB

    MD5

    98664a6bca78eab5cddd244e6762bae6

    SHA1

    81013aa881b4e45a76739a088d81ba4def2eed8d

    SHA256

    0acb639b41b26eea6d94fa0334b056bb8c6037c84ae15b3678356cf6697ef116

    SHA512

    8773e3da356b4dd6c464b8d4c38a43f425e89e1ba2968c92a9b9ac6650441d895419b16061b99c66fa89643760d6d4e898498fd4e69116c915f8831e1193bae8

    Download Submit

  • \Windows\SysWOW64\svichost.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • \Windows\SysWOW64\svichost.exe
    Filesize

    1.0MB

    MD5

    5e0bd14c0976831e38f6674892ed9ac6

    SHA1

    2d345b6ce9fb5c3f70353530f392c70b5776e95a

    SHA256

    35f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302

    SHA512

    4a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437

    Download Submit

  • memory/1348-6-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2584-25-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download