chinese_generic_botnet | a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4

General

Target

a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe
Size

380KB
MD5

8d32647b6a6e7a6ffa11ffafcc687898
SHA1

e4e56dab9f0db93b1ca855a5cdd937ddbb4c3c9e
SHA256

a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4
SHA512

9232212d26a3a458ca12bacb5eb5826797850ddf5ce86fd3f9efc4d269623c80729d1e3ce500104ae18d516d95b746d6072b906558ccc98da0a70143cc92a4eb
SSDEEP

3072:cmgg0YcfYYOR3YtPTu+Bx77F+G9gZ6AGvQl451eB:9ggLcfzOyTxx7B+G9gZ6AeWB

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/1212-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
436	Immswec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Immswec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Immswec.exe	a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe
File opened for modification	C:\Program Files (x86)\Immswec.exe	a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{15EABC6C-A398-4A07-9903-D9EAE1C31E34}	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-3a-60-21-57-9c\WpadDecisionReason = "1"	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Immswec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Immswec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{15EABC6C-A398-4A07-9903-D9EAE1C31E34}\WpadDecisionReason = "1"	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-3a-60-21-57-9c	Immswec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-3a-60-21-57-9c\WpadDecisionTime = e0adbe10bd4fda01	Immswec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-3a-60-21-57-9c\WpadDecision = "0"	Immswec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Immswec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{15EABC6C-A398-4A07-9903-D9EAE1C31E34}\WpadDecision = "0"	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Immswec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{15EABC6C-A398-4A07-9903-D9EAE1C31E34}\WpadDecisionTime = e0adbe10bd4fda01	Immswec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{15EABC6C-A398-4A07-9903-D9EAE1C31E34}\WpadNetworkName = "Network 3"	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{15EABC6C-A398-4A07-9903-D9EAE1C31E34}\7e-3a-60-21-57-9c	Immswec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Immswec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Immswec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1300	1212	a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe	28
PID 1212 wrote to memory of 1300	1212	a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe	28
PID 1212 wrote to memory of 1300	1212	a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe	28
PID 1212 wrote to memory of 1300	1212	a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe	28
PID 436 wrote to memory of 768	436	Immswec.exe	34
PID 436 wrote to memory of 768	436	Immswec.exe	34
PID 436 wrote to memory of 768	436	Immswec.exe	34
PID 436 wrote to memory of 768	436	Immswec.exe	34

C:\Users\Admin\AppData\Local\Temp\a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe
"C:\Users\Admin\AppData\Local\Temp\a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:1300

C:\Program Files (x86)\Immswec.exe
"C:\Program Files (x86)\Immswec.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Immswec.exe

Filesize
380KB

MD5
8d32647b6a6e7a6ffa11ffafcc687898

SHA1
e4e56dab9f0db93b1ca855a5cdd937ddbb4c3c9e

SHA256
a5cfb5c6492f586c354ed58d207b32ad38abcbb10fd46b228eae0efcf24131f4

SHA512
9232212d26a3a458ca12bacb5eb5826797850ddf5ce86fd3f9efc4d269623c80729d1e3ce500104ae18d516d95b746d6072b906558ccc98da0a70143cc92a4eb

Download Submit
memory/1212-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing