chinese_generic_botnet | eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d

General

Target

eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
Size

8.3MB
MD5

34b21663dcf4837afbbb4265a101085f
SHA1

59d5d64e43fe90448746af582cd0a48a4add34bf
SHA256

eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d
SHA512

c4bfaf3fdf6565539462c70b7a60fd63a30477308fbfc5095880c7cd4b1d9f923d4b07bcb45a3224416152624a22a3d6102051583a141577728730b8269a17d9
SSDEEP

49152:t/GUxi03zDWi26fs2cWDAbcl7jkv4+9Ry4kjCzj:t/GUT0uDhEv4n4Ma

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2236-0-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
2392	Uoiksum.exe
1612	Uoiksum.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\B:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\G:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\L:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\O:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\R:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\S:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\U:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\H:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\N:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\Z:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\E:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\J:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\K:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\Y:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\I:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\M:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\P:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\Q:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\T:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\W:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File opened (read-only)	\??\X:	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uoiksum.exe	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
File created	C:\Program Files (x86)\Uoiksum.exe	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2236	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2236	eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
2392	Uoiksum.exe
1612	Uoiksum.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1612	2392	Uoiksum.exe	31
PID 2392 wrote to memory of 1612	2392	Uoiksum.exe	31
PID 2392 wrote to memory of 1612	2392	Uoiksum.exe	31
PID 2392 wrote to memory of 1612	2392	Uoiksum.exe	31

C:\Users\Admin\AppData\Local\Temp\eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe
"C:\Users\Admin\AppData\Local\Temp\eb9317747dfd34d2f41cf90640de4d7c37211fba1f52b25f34de5c7389ab7d0d.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Program Files (x86)\Uoiksum.exe
"C:\Program Files (x86)\Uoiksum.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Uoiksum.exe
  "C:\Program Files (x86)\Uoiksum.exe" Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uoiksum.exe

Filesize
4.4MB

MD5
8a7eb60525c0d0cb3440d784e50db751

SHA1
76feebdf9ae67b9b8737b97670923f3974798397

SHA256
2c4c8f1e27e951dd87fbbf34e13acc06495b479a9c4deae3ae484de5aad113e9

SHA512
133c35d5b6e64cc28dbd1f009d2a027c08d9fab595fc4b6ff7a455e5f7ae45201e2da09ec25e409fc9cf278587ca787d5b167a82e0acd6d8049db85e145a21db

Download Submit
C:\Program Files (x86)\Uoiksum.exe

Filesize
4.5MB

MD5
6f10b57f7ce98946f38572aa75c43021

SHA1
2b05a70d20b4709ef1f786079bf896dfd34da36a

SHA256
5d6c73122c560b7477cf9de324201325475368c8e9cd5127af0db5897bc5413c

SHA512
d08ceae3578dd165a67cf787bf104affa7440a16e536224bdf1a57deee85832d5bd3d5b8d7d3cb23c644a3f3f916eecc10ee402f78dccfc1e65d5c415ae1cd8d

Download Submit
C:\Program Files (x86)\Uoiksum.exe

Filesize
5.8MB

MD5
a47dcba3c7f73992a7e89154cf8a818f

SHA1
e0963cff1fbe960d9ed7f90689ad04e32b23222e

SHA256
a9e522afa7757b8224691d5356bf50f5e72d62861a0cf0f7dae10682164c83b5

SHA512
68e5056ab1db30b5f22d7202ad627389b0c7982e100167153ae1cfa642c8c88b720b9be8578235da5d4a619b365c36eb91d37c21dbc6bacf7acd69a69227b9c7

Download Submit
memory/2236-0-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads