chinese_generic_botnet | 1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

673ec9946966504e0d8d87cf8bf0fb15.exe
Size

3.2MB
MD5

673ec9946966504e0d8d87cf8bf0fb15
SHA1

1348b01163e263e3c9aee874ca6cb94d85d3c855
SHA256

1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee
SHA512

9d51b5bcbd41d7bafb359b46bf203ff9dc5e5f128f5990e8afc362f7dd7b301769323b84744c84aa09f9ab3f1bbf69a89cc601ab5dfe5c62c0606c5f9b084429
SSDEEP

98304:84uTo0ZCKFwlCNZTOoqXAx88BqcVu1pggGsgBsCESpQ3v:84e7vNZTcAyhyyWgGppqv

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/3596-13104-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral2/memory/3596-13108-0x0000000000400000-0x000000000052B000-memory.dmp	unk_chinese_botnet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	673ec9946966504e0d8d87cf8bf0fb15.exe

Executes dropped EXE 2 IoCs

pid	Process
1404	svchost.exe
3596	xzw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Suaeweq.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xzw.exe"	xzw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
1404	svchost.exe
3596	xzw.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe
1404	svchost.exe
3596	xzw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1600	673ec9946966504e0d8d87cf8bf0fb15.exe
1600	673ec9946966504e0d8d87cf8bf0fb15.exe
1404	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1404	1600	673ec9946966504e0d8d87cf8bf0fb15.exe	85
PID 1600 wrote to memory of 1404	1600	673ec9946966504e0d8d87cf8bf0fb15.exe	85
PID 1600 wrote to memory of 3596	1600	673ec9946966504e0d8d87cf8bf0fb15.exe	86
PID 1600 wrote to memory of 3596	1600	673ec9946966504e0d8d87cf8bf0fb15.exe	86
PID 1600 wrote to memory of 3596	1600	673ec9946966504e0d8d87cf8bf0fb15.exe	86

C:\Users\Admin\AppData\Local\Temp\673ec9946966504e0d8d87cf8bf0fb15.exe
"C:\Users\Admin\AppData\Local\Temp\673ec9946966504e0d8d87cf8bf0fb15.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1404
- C:\Users\Admin\AppData\Roaming\xzw.exe
  "C:\Users\Admin\AppData\Roaming\xzw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
761KB

MD5
a8b4dd8f1b3abcda3ffa5d0f434d91de

SHA1
3f5e65d07e280d570e5fbdfccf89476fdc79aae2

SHA256
b2c0954711f6d4edae1416d8816e0e8bef208944bb909077f73c44ee455757f9

SHA512
4fb3f0528ece3ca3f404524f5e7095b23a304d3c79335e399340c96cac139bb396a529cee9316969ebdaa915753882cc6f7d94dd01ebaef5489cb8059ee06d92

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
ba3079fa684aa627275be64bd3a43007

SHA1
67ce8d70bbeb9787d2260dfcb01b7a32bddaf5bd

SHA256
1097f37666425cdd2372d58453e85ef5bba95ed2b259bd3e0dc09d7201a80d60

SHA512
d21f2ff4cc575936dc11e8bce893a5b99a300b9e4ec4114ce192f71f915ee7c411c56ca8a6709166c0d0462d11f4a26c7c9e43b29fca8671104c265042501570

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
248KB

MD5
4dd8e176c6167edc12713bb6729a5cce

SHA1
b3f3f3cf5600dc3600010dc3defee57e0b75f95c

SHA256
eaa556d94295a521a1eaf8931d4254e15e17563b272ba3e9017b004adca800f7

SHA512
a50767bc8eb6e72d3aca873bcbb8df0a567e1bd159eecdcee6329c055f693dabbdc70b0d4e7398318516097652f5cebef81e35eb77278e15449d040ea33ec93c

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
129KB

MD5
12cbe578ca11add7017d4c14ac3a8c14

SHA1
93157abc387eae335bf1a7f7b5adcae19ff8037e

SHA256
73059f4dc47b22ab45eee75d77687c56ae729709bce3ea5b911009ceb8f0bb4a

SHA512
c05bbcc93be2d98317f1c46c6afb1431a32e70b51ef2d3b4342e6fdffc631adb76fdb4826a5fb1a74024af68895500559c621536f8028b40a2a6fac94204bf75

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
888KB

MD5
a60eb6b05e9aa663aa574603aa4b7688

SHA1
1bea14088e5fa1d7e46a4a1d7f3c3fa5b395c7f8

SHA256
9387843ba50bc2600c26e7fe86b6d40e1dc5db5d685dbbf681cbcb50eb6cab5e

SHA512
678744d6831d2736b913fe9a5c4d3f7ce077c78eb5ec1f187228541e57501ddc0ed5b5dab43a682590bb50a858503ea5936304c325fa457aef0129c82805f370

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
5KB

MD5
87f129179f238244f4028a038b8c05dc

SHA1
cc01208b1c91a5f85c1373c9e106d9697a4dc84d

SHA256
6bb2b88e3fa6bea1d27ef769b28450ac5c0e9652c65d87f47288a32ac005723c

SHA512
0013bac1738fc9771491a79a2d1b6eaf4b1f301706791c97328e931c40324d7f64e329f39d552e70d8a9f29d475eb91fc4769af42ce63b9775324d6328d7a557

Download Submit
memory/1404-113-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13132-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13134-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-107-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13109-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-118-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-146-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-17-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13128-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-10127-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13122-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13118-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13114-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1404-13110-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/3596-21-0x0000000076C20000-0x0000000076E35000-memory.dmp

Filesize
2.1MB

Download
memory/3596-13103-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13104-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3596-13108-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13102-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13099-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13100-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13098-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13097-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3596-5911-0x0000000075C90000-0x0000000075D0A000-memory.dmp

Filesize
488KB

Download
memory/3596-3902-0x0000000076E40000-0x0000000076FE0000-memory.dmp

Filesize
1.6MB

Download
memory/3596-20-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads