Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-03-2024 09:59
Static task
static1
Behavioral task
behavioral1
Sample
c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe
Resource
win10v2004-20240226-en
General
-
Target
c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe
-
Size
3.3MB
-
MD5
cb3fc4ea063aa9207a9a4f896ab06864
-
SHA1
7196406db5b38a68b2c90b5c01c675ecac8cca46
-
SHA256
c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8
-
SHA512
afbc7fb770ca349b1b1a6835a6af2793f116684dffe5b42870ef782aaa6b06b007ac0545615266622a86877cac105328ee7e604ef3e82248773ca52717251b10
-
SSDEEP
49152:t/G5xi03zDWi26fs2cWDAbcl7jkv4+9Ry4kjCz:t/G5T0uDhEv4n4M
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
resource yara_rule behavioral1/memory/1920-0-0x0000000010000000-0x000000001001F000-memory.dmp unk_chinese_botnet -
Executes dropped EXE 2 IoCs
pid Process 2520 Wgqayyc.exe 2612 Wgqayyc.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\K: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\O: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\S: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\T: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\V: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\W: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\I: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\G: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\L: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\M: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\Y: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\B: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\H: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\Q: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\R: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\U: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\X: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\Z: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\E: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\P: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened (read-only) \??\N: c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Wgqayyc.exe c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe File opened for modification C:\Program Files (x86)\Wgqayyc.exe c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1920 c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1920 c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1920 c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe 2520 Wgqayyc.exe 2612 Wgqayyc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2612 2520 Wgqayyc.exe 29 PID 2520 wrote to memory of 2612 2520 Wgqayyc.exe 29 PID 2520 wrote to memory of 2612 2520 Wgqayyc.exe 29 PID 2520 wrote to memory of 2612 2520 Wgqayyc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe"C:\Users\Admin\AppData\Local\Temp\c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1920
-
C:\Program Files (x86)\Wgqayyc.exe"C:\Program Files (x86)\Wgqayyc.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files (x86)\Wgqayyc.exe"C:\Program Files (x86)\Wgqayyc.exe" Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5cb3fc4ea063aa9207a9a4f896ab06864
SHA17196406db5b38a68b2c90b5c01c675ecac8cca46
SHA256c475c63b1179e2899fb0c623d9f770125db643514b6f612906c79a39036407f8
SHA512afbc7fb770ca349b1b1a6835a6af2793f116684dffe5b42870ef782aaa6b06b007ac0545615266622a86877cac105328ee7e604ef3e82248773ca52717251b10