Overview

overview

10

Static

static

3

abeb08a6b4...13.exe

windows7-x64

10

abeb08a6b4...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2023 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abeb08a6b40d1f97366da3855a75f539f7feacfa50ddb6bdebf3ae9225a86d13.exe

  • Size

    2.1MB

  • MD5

    df7bf6a71d700986afbbf0c74783f4bb

  • SHA1

    b5273e244b4f5c1a6b5a4ce84b4c98aaec51f730

  • SHA256

    abeb08a6b40d1f97366da3855a75f539f7feacfa50ddb6bdebf3ae9225a86d13

  • SHA512

    787a8f39f78ced9e867edd639925a5537c23458dae0ce047c2be19379e142cc7678f3fc90c7335bc0423a39fec071914502dc572c5dfccfdb999377936dd5fd2

  • SSDEEP

    24576:57DlIWGz4VbS6rSTRq32hnMOa7mdsxI5DqVBGteW:5A4VBSTcGCO8mKy5xQW

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 1 IoCs
    botnet
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abeb08a6b40d1f97366da3855a75f539f7feacfa50ddb6bdebf3ae9225a86d13.exe
    "C:\Users\Admin\AppData\Local\Temp\abeb08a6b40d1f97366da3855a75f539f7feacfa50ddb6bdebf3ae9225a86d13.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Windows\svchost.exe
      C:\Windows\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:4292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchost.exe
    Filesize

    882KB

    MD5

    2900d0d522d53a0ce22ce798b2ea7a14

    SHA1

    f8bc7df2e8e0f5ec809f851bd9bb58c6c84dfe87

    SHA256

    bf4914155652c038eb53074b3e1bd2ed307c09775dfefbe3dbf7726e337e2f1f

    SHA512

    223b50c534b50d1fa8c5acc0154d994b67b3b72bb8190bff9f3279d468629617d547d56f7815110aa29cbc19a4f2c724d8583d6731db8957798bbcb885aec8b3

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    830KB

    MD5

    ee389b8325c7e60a9a75b0191e9a5df2

    SHA1

    f47f96c79a91a71446c9afbaa0014c130d896991

    SHA256

    b98bf9fb8f4400aceefc8426fdb2453e3146eb829645593b69feddbad4c5563f

    SHA512

    6fa9aae044867445e78fc32cad786cae9110e9c6ad87370ac7de4975d1e10715c05882ce18953b36e654cb4816af1519f1f0976c56a727df67203c52d75bfc59

    Download Submit

  • memory/4292-4-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download