Overview

overview

10

Static

static

3

e3a9ecfb56...87.exe

windows7-x64

10

e3a9ecfb56...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3a9ecfb567ddc6d3210f74048c0908adb4fac931e99d1db28e5268df52e1987.exe

  • Size

    552KB

  • MD5

    da99fa51ef84d3cdd87b608ee83688d5

  • SHA1

    5e8f6d9e907f992ee6ad4812d9b7db3664734069

  • SHA256

    e3a9ecfb567ddc6d3210f74048c0908adb4fac931e99d1db28e5268df52e1987

  • SHA512

    4c7921434db803d98502d3f3e9e2843ff918c5a4a77f3cded52b8c3abc84f7b82f3cf303a8397a83782ab14c1bf3a91867b1e2f5c5018249baa91cb0abfe4700

  • SSDEEP

    3072:r5OsiQ79xzUcbK9LK/fzuaCrutJUDpRfmm5yqiXO+Zoy/6EIP:t7hoBO/fzxUpFmkgXO+T/6E

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 1 IoCs
    botnet
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3a9ecfb567ddc6d3210f74048c0908adb4fac931e99d1db28e5268df52e1987.exe
    "C:\Users\Admin\AppData\Local\Temp\e3a9ecfb567ddc6d3210f74048c0908adb4fac931e99d1db28e5268df52e1987.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    PID:2164
  • C:\Program Files (x86)\Cmnurtw.exe
    "C:\Program Files (x86)\Cmnurtw.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Program Files (x86)\Cmnurtw.exe
      "C:\Program Files (x86)\Cmnurtw.exe" Win7
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Cmnurtw.exe
    Filesize

    531KB

    MD5

    e0d9c0ebe66b619dcddc1a77f5d1683c

    SHA1

    9204ebe9e9fb6818b3561abe7916a14150ea119b

    SHA256

    fdadcbc9c1cb8c834da94c0598c7b27c12fd7c215071c89313d7c06fd28eea36

    SHA512

    21cc31b45834b1cd7170a185ef0606298dc0b8dd5a0a58536fcd6a5eab730a339cb0fd31adb6e9c367a22e9cd8085a72d4e04fb4b2d4576b5d24bb4d272d03ae

    Download Submit

  • C:\Program Files (x86)\Cmnurtw.exe
    Filesize

    257KB

    MD5

    1b292ae8bdacbea5276fadfd28ec9989

    SHA1

    3feb90ed2ca17d6784fe77ecf3810087941763b0

    SHA256

    c76bc100c887aa1fd3fce649074ddfb1489609f80cba50fa740f0e301ce0f636

    SHA512

    6b638e5f33beb98e13a53f6cfcc29b81497fb134d89deb9e532cacdea6f1068e5c2a6ed77034885e8fa2b4bd75437a2ed07bc7233ecbb7fe25787f07ab4cda49

    Download Submit

  • C:\Program Files (x86)\Cmnurtw.exe
    Filesize

    38KB

    MD5

    7af897f01e75c317ce46f77e5cab92de

    SHA1

    d7484f13d21c169db5c7eab0d54285a2e53c6922

    SHA256

    80acdfafb5aa0adda670d278fb483d394dd24744b14f4fcbc336ecc3e0b587ae

    SHA512

    d42016781ebaac1aa6e661559b74acbb4aec5e9b724590988add15703bd980fe43d2f0b95133b462946f7b88ec9820f4595739ced4a1c469f2de2c420bad4a1b

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    189KB

    MD5

    51a52db6a1d548b8c5db42194e179151

    SHA1

    c64b9fce177dbdacbc14f33d59111e053e7372b6

    SHA256

    635c671554d2d31e784a3691c9b60e43a8bd40f6d6cebc7e2730467a97470b0c

    SHA512

    3beea94945a562afe5725f1603c5e949ab90289ee68f177926b2d1194bf1c2c1fa7f5bbb84eb11c1e2ea965e3b88efd2815e16727fe5d60e306287e02bef7a4e

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    494KB

    MD5

    ca9bae4290fe2f17f3bb13b47f10f104

    SHA1

    68e38694420a3ad6706b7026203d13b3105c7d05

    SHA256

    52d73fcbb5a7b4eee3975deea74d1401fb10d53e81257b05e5dbea0d80d59a7d

    SHA512

    328ce8abbeec472be8fc07cdbfb7cb237243113d639a89a9b928db3a3afe8e6f9540d3d07c80483b598b862103462284e1022f7ce7f5109c2d0abc684689f2b7

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    552KB

    MD5

    da99fa51ef84d3cdd87b608ee83688d5

    SHA1

    5e8f6d9e907f992ee6ad4812d9b7db3664734069

    SHA256

    e3a9ecfb567ddc6d3210f74048c0908adb4fac931e99d1db28e5268df52e1987

    SHA512

    4c7921434db803d98502d3f3e9e2843ff918c5a4a77f3cded52b8c3abc84f7b82f3cf303a8397a83782ab14c1bf3a91867b1e2f5c5018249baa91cb0abfe4700

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    434KB

    MD5

    3d19753ce74b8cf19986c0dd458204a2

    SHA1

    e91f697ea633bfd9b93db8285969d5fc42bcdbc1

    SHA256

    ee3df9c23ec2acec4ad4ac16dad16d63a57047e04a89f44d87bc9b6495ad6e57

    SHA512

    b79f080f789b778c854f4401d0d47e3de88abed7c8231d8255dda01a9112fbea4cb6b8cfcb62b7bfce8adffd71a6479c53a1dd79a4c95b632defc610c89d8fd5

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    64KB

    MD5

    25310d3d25d8b1d2f55cb3d27d53da9d

    SHA1

    7abba4181a48c64e19a87c02b5a8e07c7ed811cc

    SHA256

    ae019d25f6065361f82955034488ad55e0c277638774026654d86299a1c85f47

    SHA512

    73de3a6a632abadada1cc246ff579d25ecd03a8d422850ff3cba4053af5ea52e6cf6968fe9698c52c0aef4adae7a4f04130dfc1a93c46ebb71a2a077702cf237

    Download Submit

  • memory/2164-0-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download