chinese_generic_botnet | 1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

673ec9946966504e0d8d87cf8bf0fb15.exe
Size

3.2MB
MD5

673ec9946966504e0d8d87cf8bf0fb15
SHA1

1348b01163e263e3c9aee874ca6cb94d85d3c855
SHA256

1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee
SHA512

9d51b5bcbd41d7bafb359b46bf203ff9dc5e5f128f5990e8afc362f7dd7b301769323b84744c84aa09f9ab3f1bbf69a89cc601ab5dfe5c62c0606c5f9b084429
SSDEEP

98304:84uTo0ZCKFwlCNZTOoqXAx88BqcVu1pggGsgBsCESpQ3v:84e7vNZTcAyhyyWgGppqv

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/848-8730-0x0000000000400000-0x000000000052B000-memory.dmp	unk_chinese_botnet
behavioral1/memory/1508-17447-0x0000000000400000-0x000000000052B000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 3 IoCs

pid	Process
2620	svchost.exe
848	xzw.exe
1508	Suaeweq.exe

Loads dropped DLL 3 IoCs

pid	Process
3032	673ec9946966504e0d8d87cf8bf0fb15.exe
3032	673ec9946966504e0d8d87cf8bf0fb15.exe
3032	673ec9946966504e0d8d87cf8bf0fb15.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Suaeweq.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
2620	svchost.exe
848	xzw.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
1508	Suaeweq.exe
1508	Suaeweq.exe
2620	svchost.exe
848	xzw.exe
1508	Suaeweq.exe
2620	svchost.exe
848	xzw.exe
1508	Suaeweq.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe
848	xzw.exe
2620	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Suaeweq.exe	xzw.exe
File opened for modification	C:\Program Files (x86)\Suaeweq.exe	xzw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Suaeweq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F44C1160-71B7-428C-BBCE-6918D56B6DB0}\WpadDecisionReason = "1"	Suaeweq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F44C1160-71B7-428C-BBCE-6918D56B6DB0}\WpadDecisionTime = 507ebabaeb58da01	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F44C1160-71B7-428C-BBCE-6918D56B6DB0}\c2-35-aa-9f-06-3c	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Suaeweq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Suaeweq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-35-aa-9f-06-3c	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-35-aa-9f-06-3c\WpadDecision = "0"	Suaeweq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Suaeweq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F44C1160-71B7-428C-BBCE-6918D56B6DB0}	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F44C1160-71B7-428C-BBCE-6918D56B6DB0}\WpadDecision = "0"	Suaeweq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-35-aa-9f-06-3c\WpadDecisionTime = 507ebabaeb58da01	Suaeweq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Suaeweq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0054000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Suaeweq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F44C1160-71B7-428C-BBCE-6918D56B6DB0}\WpadNetworkName = "Network 3"	Suaeweq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-35-aa-9f-06-3c\WpadDecisionReason = "1"	Suaeweq.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3032	673ec9946966504e0d8d87cf8bf0fb15.exe
3032	673ec9946966504e0d8d87cf8bf0fb15.exe
2620	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2620	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	28
PID 3032 wrote to memory of 2620	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	28
PID 3032 wrote to memory of 2620	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	28
PID 3032 wrote to memory of 2620	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	28
PID 3032 wrote to memory of 848	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	29
PID 3032 wrote to memory of 848	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	29
PID 3032 wrote to memory of 848	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	29
PID 3032 wrote to memory of 848	3032	673ec9946966504e0d8d87cf8bf0fb15.exe	29

C:\Users\Admin\AppData\Local\Temp\673ec9946966504e0d8d87cf8bf0fb15.exe
"C:\Users\Admin\AppData\Local\Temp\673ec9946966504e0d8d87cf8bf0fb15.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Users\Admin\AppData\Roaming\xzw.exe
  "C:\Users\Admin\AppData\Roaming\xzw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  PID:848

C:\Program Files (x86)\Suaeweq.exe
"C:\Program Files (x86)\Suaeweq.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
673KB

MD5
1fe8318bfc73c2c94eabe26321c73e54

SHA1
829f17cb2054c8eb6355f66e67377c98635dbce5

SHA256
2006be04313d758fdcfe7b7eb8434fcdfea8609a70e5576494b17adec0bf2b8c

SHA512
8c841693d47e4c543ef37792a2cc5afe6254433e88c8dee2f09db74da7afe7b54861057b5b6e6771bac821a4624373fccdb43f55523d621a052c91d04e55851d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
173KB

MD5
7e83ff554f0cbc92be81a1e1df33c88c

SHA1
6112b4bb4e02cf779026150cc55711030b4d4cd7

SHA256
c39b741fc306308f3f8de358b5b811bef8aea56fb9c133b2eb9f08249bb48d0c

SHA512
e9ef6ae474d6c64c0102fc6f82e404d217c2615e51c9524367d6b54ee77cd9facc65592356fe1fbe6c0be0d61dcc92343efe786e1db989dadc7093c3301687a4

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
246KB

MD5
c2a317d277db9c22bfc15e89c3e0429f

SHA1
48221eaf04a6fe2eebca8b96857669c2ad5325e5

SHA256
6c329cc3456f54d33828da19bca07e3b776ac6484817d91f933eca3b48081aa4

SHA512
7ad2de2cd4ab15aac808b8cc51dc95585f7beff118a15eb7491d1d3cb964803c280e0680cabb0272e0ac83b3bc78215cc3a788296e7d139c9c70fdd9fe4a851e

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
164KB

MD5
75ca16e4180320a664364d07fb97247c

SHA1
f3d1848d20130cc16a24a7780a4514311d325689

SHA256
b854ae5d4cbce8769cb1b1912e7d86183f573634d394fba0871269ab0ae15c7b

SHA512
9ba4046ad6412c72892737d8792a386ea448bcf0aa2532805addfcf520d0a751e9d0a1dcdee88f86affd667cf67786636378e21c6e23345679562b40f6fbd066

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
888KB

MD5
a60eb6b05e9aa663aa574603aa4b7688

SHA1
1bea14088e5fa1d7e46a4a1d7f3c3fa5b395c7f8

SHA256
9387843ba50bc2600c26e7fe86b6d40e1dc5db5d685dbbf681cbcb50eb6cab5e

SHA512
678744d6831d2736b913fe9a5c4d3f7ce077c78eb5ec1f187228541e57501ddc0ed5b5dab43a682590bb50a858503ea5936304c325fa457aef0129c82805f370

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.4MB

MD5
6160d5e972f3fc546d4e2039e0f156d3

SHA1
4922350e469581c98e5b31d2823d41f7684262b5

SHA256
93c0f228790fafde28aa22db3541779f5c8aba99642660a0fbadbb6d02aef54a

SHA512
6a8fa222c23bee756a2c24c4921c267b2a191295d8ff36f311d28c52a67f28005d6eb1dccc006daa7dd47b54fa1c06e5cb8dc9b6e2c1118a082fd72a10d9108a

Download Submit
\Users\Admin\AppData\Roaming\xzw.exe

Filesize
388KB

MD5
0689597554f22495a7eee2e8307b9c95

SHA1
d03a5a02dd903d5ea0fe9ac523ee5af83af866f7

SHA256
6cce1d23efb642599ff7b38e74da446cfcb906a2f899e599eb1d50cb6e18c2a4

SHA512
d693cfa9f31203dff28293541d86623b90d272359074294284482cec3c078a0b4fbb569a935a0a0dcd79682183ffdedbed3a069c3b46d86fe961c609f1f90aec

Download Submit
\Users\Admin\AppData\Roaming\xzw.exe

Filesize
203KB

MD5
d5174997c0f91efd3b6bd14548109a89

SHA1
e7ade989c0769b6fe5951b04946c6cd81f5a0e29

SHA256
c7978963247ffc04f62fdd106cdbef88370dc10f4d77caa774ed4affaa7d2b59

SHA512
14367fb5b531de8b2ab5c29fd1d20ccc13cf7aede3794cd16fde160654dab5b780189c17601e789769cb7e9bdba865cead7f5d81966c806ba93237074147a678

Download Submit
memory/848-843-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-867-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-19-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/848-8730-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/848-8723-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/848-8715-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-2575-0x0000000001F80000-0x0000000002101000-memory.dmp

Filesize
1.5MB

Download
memory/848-838-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-847-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-861-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-859-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-873-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-885-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-891-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-895-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-893-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-889-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-887-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-883-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-881-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-879-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-877-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-875-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-871-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-869-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-20-0x0000000075850000-0x0000000075897000-memory.dmp

Filesize
284KB

Download
memory/848-865-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-863-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-857-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-855-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-853-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-851-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-849-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-845-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-839-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/848-841-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1508-8741-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1508-17447-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1508-17440-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1508-17433-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1508-11290-0x0000000001F80000-0x0000000002101000-memory.dmp

Filesize
1.5MB

Download
memory/2620-12804-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2620-87-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2620-8724-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2620-90-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2620-9-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2620-95-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2620-113-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/3032-8-0x00000000034D0000-0x000000000369A000-memory.dmp

Filesize
1.8MB

Download