chinese_generic_botnet | 59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8

General

Target

59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
Size

4.0MB
MD5

0e9380c75030b8154997b4e8310357b3
SHA1

76ced34528c734c9871e774a6bd9cc1decffb2a4
SHA256

59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8
SHA512

be3b4675e43f3ef13014a7ac8e63df4073696997d786e03bd62bc0c9ae695af215011583ca50dc47ad4db8048de9c2e071db7c4e7749834534d80f5251416ba6
SSDEEP

49152:A+CNRa23/nk7xi03zDWi26fs2cWDAbcl7jkv4+9Ry4kjCzSC:bIRa23/k7T0uDhEv4n4Mm

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2896-8-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 4 IoCs

pid	Process
2896	sxteam.exe
2952	Nnvnnrv.exe
2660	µÇÂ½.exe
2820	Nnvnnrv.exe

Loads dropped DLL 4 IoCs

pid	Process
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sxteam.exe	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nnvnnrv.exe	sxteam.exe
File opened for modification	C:\Program Files (x86)\Nnvnnrv.exe	sxteam.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
2896	sxteam.exe
2952	Nnvnnrv.exe
2820	Nnvnnrv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2896	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	28
PID 2756 wrote to memory of 2896	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	28
PID 2756 wrote to memory of 2896	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	28
PID 2756 wrote to memory of 2896	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	28
PID 2756 wrote to memory of 2660	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	30
PID 2756 wrote to memory of 2660	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	30
PID 2756 wrote to memory of 2660	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	30
PID 2756 wrote to memory of 2660	2756	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	30
PID 2952 wrote to memory of 2820	2952	Nnvnnrv.exe	31
PID 2952 wrote to memory of 2820	2952	Nnvnnrv.exe	31
PID 2952 wrote to memory of 2820	2952	Nnvnnrv.exe	31
PID 2952 wrote to memory of 2820	2952	Nnvnnrv.exe	31

C:\Users\Admin\AppData\Local\Temp\59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
"C:\Users\Admin\AppData\Local\Temp\59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\sxteam.exe
  C:\Windows\System32\sxteam.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\µÇÂ½.exe
  C:\Users\Admin\AppData\Local\Temp\µÇÂ½.exe
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Program Files (x86)\Nnvnnrv.exe
"C:\Program Files (x86)\Nnvnnrv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Nnvnnrv.exe
  "C:\Program Files (x86)\Nnvnnrv.exe" Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nnvnnrv.exe

Filesize
2.1MB

MD5
7145a479fd90ca34fb166928daf80091

SHA1
ee6f1081860d8d26ff060bca25503071a30d87f1

SHA256
3da7ef3f23871e45306e783acc593b4171aed03158322c86a8adddc7d4ff9952

SHA512
1617d74b630437470c264c348bf6c765eb1b8ed9f1102cc404df3b172cc17338d6ecd4045327bebe91cbafba180cdf4275f7d514cdaaa7c98226a9fb2d5ed2ba

Download Submit
C:\Program Files (x86)\Nnvnnrv.exe

Filesize
2.1MB

MD5
25fd62d0cfb614c0d6298f242a87c437

SHA1
36686a8e2a272d39337874fe20cbd61afb8493fd

SHA256
4b9b174b6d305189029f41bb68909e62d9befc5c06d3aa70a38dc46f67269510

SHA512
c579ebb91434d519b367876c1a4a0e39efe049883e22b502999b64554c0cd253f14069209f2d7d218b9bf43f2e05de27c39442d619d83eaa8ee7ffd2c2d6a25a

Download Submit
\Users\Admin\AppData\Local\Temp\µÇÂ½.exe

Filesize
8KB

MD5
8c62db072c6ce1d4776bee7954d45e98

SHA1
1e328f615baa9f79d20cf3e2f242cfd46462f2ce

SHA256
fd4dc8e58d8e97dd54ea0fd76b6aa25aa5afd3a859467dca3b9123ad10a4d331

SHA512
fc67482599fb9b11c5e4fda9005b8cd903da64ce7f4022a8f297b7c3ac553705f78d9d21fd0237a7ab052036c47927935dc85ee17bb4ca287d50b5f911a43a19

Download Submit
\Windows\SysWOW64\sxteam.exe

Filesize
3.3MB

MD5
19d204376965daa8293b8dad0544e792

SHA1
9d57f94c7c59e462bc281b0d0321ea5049a4d4b5

SHA256
d20854dd8c10f5957f51e70c07b8129d05c5c56c9cc3796b815087ef123d9eb3

SHA512
80783d97681e17f506f4f38495b34e2450144c504232cf2c65c5e3f670f2518357c6e238634ae32290f9bc3eff07edc8445253e49a179f5c869d9572e163f2c7

Download Submit
memory/2660-27-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2660-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2660-40-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2756-26-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/2756-24-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/2896-8-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing