Overview

overview

10

Static

static

3

54fb2ada01...be.exe

windows7-x64

10

54fb2ada01...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54fb2ada01c02e922853066644b9524e4227e30e5ab15f91647556c72556a5be.exe

  • Size

    541KB

  • MD5

    e114495b770c0f805e56b27c87b773de

  • SHA1

    eb287a589998b616b5adce1709eddd90ccf58a03

  • SHA256

    54fb2ada01c02e922853066644b9524e4227e30e5ab15f91647556c72556a5be

  • SHA512

    37f01779cfc97c1c8a8921588323880990eb45cef96a07e87e7d889aafa0516225d019079a6a64bb7fbcfa4b65dcbba09bac23a7934c8ffcd95207a9add25f1d

  • SSDEEP

    3072:A5OsiQ79xzUcbK9LK/fzuaCrutJUDpRfmm5yqiXO+Zoy/6ESh0Jz5OdRSu:G7hoBO/fzxUpFmkgXO+T/6EJJNaS

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet payload 1 IoCs
    botnet
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54fb2ada01c02e922853066644b9524e4227e30e5ab15f91647556c72556a5be.exe
    "C:\Users\Admin\AppData\Local\Temp\54fb2ada01c02e922853066644b9524e4227e30e5ab15f91647556c72556a5be.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    PID:2928
  • C:\Program Files (x86)\Cmnurtw.exe
    "C:\Program Files (x86)\Cmnurtw.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Program Files (x86)\Cmnurtw.exe
      "C:\Program Files (x86)\Cmnurtw.exe" Win7
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Cmnurtw.exe
    Filesize

    142KB

    MD5

    bd3520777f30b2b2782e032845b0224a

    SHA1

    dadeae62c4f72f8641feb4be5cc98693a8ef6eab

    SHA256

    d668ea6e652721644a39ad223a8ad7e495f553fac24a256fabc34449333821da

    SHA512

    f2833534c066b292ed7e67af49e58e0cffa4db1231f339db2618bdaae45a1c51a7b564371e4562d995d138c4d8503672cc736ac8694fdb4acdb5048e841fad4f

    Download Submit

  • C:\Program Files (x86)\Cmnurtw.exe
    Filesize

    541KB

    MD5

    e114495b770c0f805e56b27c87b773de

    SHA1

    eb287a589998b616b5adce1709eddd90ccf58a03

    SHA256

    54fb2ada01c02e922853066644b9524e4227e30e5ab15f91647556c72556a5be

    SHA512

    37f01779cfc97c1c8a8921588323880990eb45cef96a07e87e7d889aafa0516225d019079a6a64bb7fbcfa4b65dcbba09bac23a7934c8ffcd95207a9add25f1d

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    113KB

    MD5

    c3aefd7239a93aa5f50d267e9360ceb2

    SHA1

    2860547570eca94782be09880a8a11576dd474e6

    SHA256

    7f077b4c5f51928041d9d9e399bccc9ba30ef801a83e8312a1933385a3f412bc

    SHA512

    d792aaaf424b42bf2e6b976477916e200c0fb7707cfee12679e8b57c6f1d2ac1cd9e914d349f216fdcc7e6d625f06676f5f57e4ab5a7e54091fdf08f2b5be80f

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    129KB

    MD5

    87646cf1b4121f5fea2703a6c0b5fa53

    SHA1

    a1a41a20f4a56020f503f73ff326a8a7dcb389e3

    SHA256

    228bcf0b35bdae03754156fcb3870e30e5ad638a49d84a4be581a1cb32281225

    SHA512

    76073d1e2431fdbf438be4d3dc550582679feeb963c98210d5a77dbfbfb71bda2464cfa792e3ae87aa5965ff52e3bc279862c0f0e7a57547f3732e9baa05edde

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    147KB

    MD5

    0c81be09a26e52212fcb9523165c80b6

    SHA1

    eb5c8850618cc82a549053e01be06e45f8fd2193

    SHA256

    fe1c7db1acd053e6484395660b4c75d40198ba3de51ac87bc6438d74338cb747

    SHA512

    cb103250811a70d78efcb82880f6c23cf765df6c1e528fa1a7fc7cebb2a4ce0ddec1cc35eb8089cd87c69df508a4b06e16861abe1bec583ac37533bd313e643e

    Download Submit

  • \Program Files (x86)\Cmnurtw.exe
    Filesize

    109KB

    MD5

    46c56e0603dde674717bc40e2f5e9d1c

    SHA1

    567a352dd1bfbf183d61a26acc5b073046b62fb7

    SHA256

    c28c704c9560c8f281ecf6a84ac89add130ffa2427363a414ddc3566e3d460a8

    SHA512

    a6e965abc8f93bfd7a02b19deb9a9f39ba8f2b40451dc32f7c433d5c442dcce0bba5356a73f0ee5730ab901b6d2288c4bbda7075c1c2e9ee96b16b99db3a417e

    Download Submit

  • memory/2928-0-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download