chinese_generic_botnet | 4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56

General

Target

4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
Size

540KB
MD5

ee408b555f711d4b38b7dc41edffc5bb
SHA1

87950bd92529e5344e50078d698bc22f8d36e5da
SHA256

4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56
SHA512

1e11cbbd3ca243534bd5d93971ea7e6de6da1b26e11a83195e6abc955ef51ae5eafacd88cf99e6b612a25a33c1d253cdc73c644d097128996ba3c9d41fc2a4cd
SSDEEP

3072:A5OsiQ79xzUcbK9LK/fzuaCrutJUDpRfmm5yqiXO+Zoy/6ESh0Jz5OdRSu:G7hoBO/fzxUpFmkgXO+T/6EJJNaS

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/1916-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
2904	Cmnurtw.exe
2796	Cmnurtw.exe

Loads dropped DLL 7 IoCs

pid	Process
2904	Cmnurtw.exe
2904	Cmnurtw.exe
2904	Cmnurtw.exe
2904	Cmnurtw.exe
2796	Cmnurtw.exe
2796	Cmnurtw.exe
2796	Cmnurtw.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\H:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\Z:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\V:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\G:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\I:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\J:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\L:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\M:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\U:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\W:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\Y:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\E:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\N:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\O:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\R:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\S:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\K:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\P:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\Q:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\T:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened (read-only)	\??\X:	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Cmnurtw.exe	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
File opened for modification	C:\Program Files (x86)\Cmnurtw.exe	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1916	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1916	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1916	4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
2904	Cmnurtw.exe
2796	Cmnurtw.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29
PID 2904 wrote to memory of 2796	2904	Cmnurtw.exe	29

C:\Users\Admin\AppData\Local\Temp\4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe
"C:\Users\Admin\AppData\Local\Temp\4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Program Files (x86)\Cmnurtw.exe
"C:\Program Files (x86)\Cmnurtw.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files (x86)\Cmnurtw.exe
  "C:\Program Files (x86)\Cmnurtw.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Cmnurtw.exe

Filesize
540KB

MD5
ee408b555f711d4b38b7dc41edffc5bb

SHA1
87950bd92529e5344e50078d698bc22f8d36e5da

SHA256
4504c2f50f828ce0bf82bb3cb0262273b015a49cec4957fe2f108f2df1742f56

SHA512
1e11cbbd3ca243534bd5d93971ea7e6de6da1b26e11a83195e6abc955ef51ae5eafacd88cf99e6b612a25a33c1d253cdc73c644d097128996ba3c9d41fc2a4cd

Download Submit
memory/1916-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads