chinese_generic_botnet | a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9

Analysis

max time kernel
118s
max time network
138s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
Size

1.2MB
MD5

059db3d70ebd90594242e8c4dbc92de6
SHA1

cf6d8ccbbf4d2f752d80c581eba9f70059e776d4
SHA256

a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9
SHA512

fade9a9ba73e5fbd84f536f86a8180ef1a1975d45b8e1621ba73d6b9923bd10ae641d406bf5d96e00b3404710192e29445264009a3d326a0f604eb23b31d6cea
SSDEEP

24576:w37Z7Xxs8GPeIzxVvoscrpXv63aprWmLjEVsA:c9C8JIzxVvos6QwWmLjEV1

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

description	ioc	process
File opened (read-only)	\??\E:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\G:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\I:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\R:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\U:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\B:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\K:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\V:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\X:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\Z:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\J:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\N:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\O:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\P:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\Q:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\W:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\Y:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\H:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\L:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\M:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\S:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
File opened (read-only)	\??\T:	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

pid process

2980 a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

pid process

2980 a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

pid	process
2980	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

pid	process
2980	a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe

C:\Users\Admin\AppData\Local\Temp\a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
"C:\Users\Admin\AppData\Local\Temp\a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download