chinese_generic_botnet | 59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8

Analysis

max time kernel
173s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
Size

4.0MB
MD5

0e9380c75030b8154997b4e8310357b3
SHA1

76ced34528c734c9871e774a6bd9cc1decffb2a4
SHA256

59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8
SHA512

be3b4675e43f3ef13014a7ac8e63df4073696997d786e03bd62bc0c9ae695af215011583ca50dc47ad4db8048de9c2e071db7c4e7749834534d80f5251416ba6
SSDEEP

49152:A+CNRa23/nk7xi03zDWi26fs2cWDAbcl7jkv4+9Ry4kjCzSC:bIRa23/k7T0uDhEv4n4Mm

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/4500-4-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
4500	sxteam.exe
1012	µÇÂ½.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nnvnnrv.exe = "C:\\Windows\\SysWOW64\\sxteam.exe"	sxteam.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sxteam.exe	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
4500	sxteam.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 4500	1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	91
PID 1908 wrote to memory of 4500	1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	91
PID 1908 wrote to memory of 4500	1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	91
PID 1908 wrote to memory of 1012	1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	92
PID 1908 wrote to memory of 1012	1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	92
PID 1908 wrote to memory of 1012	1908	59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe	92

C:\Users\Admin\AppData\Local\Temp\59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe
"C:\Users\Admin\AppData\Local\Temp\59fcc0c5a123dc0a67d61c57164ba5ea344a10101ad7bd6d3c3404c7e55f06c8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\sxteam.exe
  C:\Windows\System32\sxteam.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\µÇÂ½.exe
  C:\Users\Admin\AppData\Local\Temp\µÇÂ½.exe
  2⤵
  - Executes dropped EXE
  PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\µÇÂ½.exe

Filesize
8KB

MD5
8c62db072c6ce1d4776bee7954d45e98

SHA1
1e328f615baa9f79d20cf3e2f242cfd46462f2ce

SHA256
fd4dc8e58d8e97dd54ea0fd76b6aa25aa5afd3a859467dca3b9123ad10a4d331

SHA512
fc67482599fb9b11c5e4fda9005b8cd903da64ce7f4022a8f297b7c3ac553705f78d9d21fd0237a7ab052036c47927935dc85ee17bb4ca287d50b5f911a43a19

Download Submit
C:\Windows\SysWOW64\sxteam.exe

Filesize
3.3MB

MD5
19d204376965daa8293b8dad0544e792

SHA1
9d57f94c7c59e462bc281b0d0321ea5049a4d4b5

SHA256
d20854dd8c10f5957f51e70c07b8129d05c5c56c9cc3796b815087ef123d9eb3

SHA512
80783d97681e17f506f4f38495b34e2450144c504232cf2c65c5e3f670f2518357c6e238634ae32290f9bc3eff07edc8445253e49a179f5c869d9572e163f2c7

Download Submit
memory/1012-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1012-15-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1012-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4500-4-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download