Analysis
-
max time kernel
118s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
Resource
win10v2004-20240226-en
General
-
Target
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
-
Size
1.2MB
-
MD5
059db3d70ebd90594242e8c4dbc92de6
-
SHA1
cf6d8ccbbf4d2f752d80c581eba9f70059e776d4
-
SHA256
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9
-
SHA512
fade9a9ba73e5fbd84f536f86a8180ef1a1975d45b8e1621ba73d6b9923bd10ae641d406bf5d96e00b3404710192e29445264009a3d326a0f604eb23b31d6cea
-
SSDEEP
24576:w37Z7Xxs8GPeIzxVvoscrpXv63aprWmLjEVsA:c9C8JIzxVvos6QwWmLjEV1
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2980-0-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exedescription ioc Process File opened (read-only) \??\E: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\G: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\I: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\R: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\U: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\B: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\K: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\V: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\X: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\Z: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\J: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\N: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\O: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\P: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\Q: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\W: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\Y: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\H: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\L: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\M: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\S: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe File opened (read-only) \??\T: a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exepid Process 2980 a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exepid Process 2980 a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe"C:\Users\Admin\AppData\Local\Temp\a6e6c5aa54a2d95208be5c7b07b9a77bf31b3a91a0706a824ca50698343fa6e9.exe"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2980