chinese_generic_botnet | e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198

Analysis

max time kernel
129s
max time network
138s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 10:02

Target

e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exe
Size

3.3MB
MD5

dc1fab2c3e39297e8973d4154b33ef8e
SHA1

cf30c2d4bdf8f24a0023c373370907bef2d5d057
SHA256

e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198
SHA512

86431dcf629d5461be807ca50e2b84addc3e3705cc4e1e15fa71713bc97ced1900142f4ad7a24304fcaefdd76c767870daeb195eb453d5ce2876db0c3c178089
SSDEEP

49152:t/Nsxi03zDWi26fs2cWDAbcl7jkv4+9Ry4kjCz:t/NsT0uDhEv4n4M

Score

10^/10

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/1636-0-0x0000000010000000-0x000000001001F000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

Processes:

Cimiieq.exeCimiieq.exe

pid process

2704 Cimiieq.exe
2648 Cimiieq.exe

pid	process
2704	Cimiieq.exe
2648	Cimiieq.exe

Drops file in Program Files directory 2 IoCs

Processes:

e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exe

description	ioc	process
File created	C:\Program Files (x86)\Cimiieq.exe	e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exe
File opened for modification	C:\Program Files (x86)\Cimiieq.exe	e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exeCimiieq.exeCimiieq.exe

pid process

1636 e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exe
2704 Cimiieq.exe
2648 Cimiieq.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exeCimiieq.exeCimiieq.exe

pid process

1636 e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198.exe
2704 Cimiieq.exe
2648 Cimiieq.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Cimiieq.exe

description	pid	process	target process
PID 2704 wrote to memory of 2648	2704	Cimiieq.exe	Cimiieq.exe
PID 2704 wrote to memory of 2648	2704	Cimiieq.exe	Cimiieq.exe
PID 2704 wrote to memory of 2648	2704	Cimiieq.exe	Cimiieq.exe
PID 2704 wrote to memory of 2648	2704	Cimiieq.exe	Cimiieq.exe

C:\Program Files (x86)\Cimiieq.exe

Filesize
3.3MB

MD5
dc1fab2c3e39297e8973d4154b33ef8e

SHA1
cf30c2d4bdf8f24a0023c373370907bef2d5d057

SHA256
e42d735a519713d88832f38132c7089e9380fa4b8dad0b22ffa83d30c66d1198

SHA512
86431dcf629d5461be807ca50e2b84addc3e3705cc4e1e15fa71713bc97ced1900142f4ad7a24304fcaefdd76c767870daeb195eb453d5ce2876db0c3c178089

Download Submit
memory/1636-0-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download