Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240419-en
General
-
Target
tmp.exe
-
Size
3.3MB
-
MD5
d6c0cf36d24f9c78d3e9c62c1ab10d7a
-
SHA1
40aef92c854049c716038a8ab79758d9d579b90d
-
SHA256
cc13d8ef2716a7653e04f1ee11a9be519897982cd83ae95559cb08513ed21c7e
-
SHA512
16b6b134417c3e9f067c2a1e8205067a2a9fac2b4d6342e2da7c8a90d8dcf4fff07ad39ade8e8b007a6a019419a58a733bb722463a472677f472380cf1b8a2bd
-
SSDEEP
98304:e4uTo0ZdxryDXakEfkslniBGT93rAS1Up0:e4eNeGTfksliBc933G+
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2600-11797-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet behavioral2/memory/2600-11799-0x0000000000400000-0x0000000000548000-memory.dmp unk_chinese_botnet -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation tmp.exe -
Executes dropped EXE 2 IoCs
Processes:
QQ.exesvchost.exepid Process 2600 QQ.exe 3144 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
QQ.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kvzbtbs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\QQ.exe" QQ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
svchost.exeQQ.exepid Process 3144 svchost.exe 3144 svchost.exe 2600 QQ.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe 3144 svchost.exe 2600 QQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid Process 3144 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
tmp.exesvchost.exepid Process 828 tmp.exe 828 tmp.exe 3144 svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
tmp.exedescription pid Process procid_target PID 828 wrote to memory of 2600 828 tmp.exe 85 PID 828 wrote to memory of 2600 828 tmp.exe 85 PID 828 wrote to memory of 2600 828 tmp.exe 85 PID 828 wrote to memory of 3144 828 tmp.exe 86 PID 828 wrote to memory of 3144 828 tmp.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Roaming\QQ.exe"C:\Users\Admin\AppData\Roaming\QQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
936KB
MD5f21c518bcafa5fe911f17ffb3c1797b0
SHA16ddf4338b8802ed0e698af6d78695cc12d7e55d6
SHA256a64ace959b459d7f23ceb7b2ff1cbe7f9346e3aa412118d4078b940e13b087a8
SHA512482a3c93ed737da332be810d543a2afd274b6c20ebcdccf4a324cca756629ffcd402c7ba5b514ad19f91bb27ecdc3de0e3baa30f65658c1f152ad1bcc9f8f25f
-
Filesize
1.6MB
MD5e10f2fe129e169b2ac1ce9eeb179c15f
SHA1bf6b5ac1c98b04b2b881522b10277efa4acb72b5
SHA2561419f75027c186e8024396999a6841e6bbbcec531d134f8f26491a0fca9715a0
SHA512590e3c4ddb764ae2764b74f9f6283c7b3635c1dfaf42e3c80b90a2bf71b66b2cff2d5f1519c28965dcbf07152766f28fc827f140cedf3547a5985e4d755cac83