Analysis
-
max time kernel
294s -
max time network
294s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-04-2024 18:09
General
-
Target
tmp.exe
-
Size
3.3MB
-
MD5
d6c0cf36d24f9c78d3e9c62c1ab10d7a
-
SHA1
40aef92c854049c716038a8ab79758d9d579b90d
-
SHA256
cc13d8ef2716a7653e04f1ee11a9be519897982cd83ae95559cb08513ed21c7e
-
SHA512
16b6b134417c3e9f067c2a1e8205067a2a9fac2b4d6342e2da7c8a90d8dcf4fff07ad39ade8e8b007a6a019419a58a733bb722463a472677f472380cf1b8a2bd
-
SSDEEP
98304:e4uTo0ZdxryDXakEfkslniBGT93rAS1Up0:e4eNeGTfksliBc933G+
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 24 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\QQ.exe"C:\Users\Admin\AppData\Roaming\QQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Kvzbtbs.exe"C:\Program Files (x86)\Kvzbtbs.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
936KB
MD5f21c518bcafa5fe911f17ffb3c1797b0
SHA16ddf4338b8802ed0e698af6d78695cc12d7e55d6
SHA256a64ace959b459d7f23ceb7b2ff1cbe7f9346e3aa412118d4078b940e13b087a8
SHA512482a3c93ed737da332be810d543a2afd274b6c20ebcdccf4a324cca756629ffcd402c7ba5b514ad19f91bb27ecdc3de0e3baa30f65658c1f152ad1bcc9f8f25f
-
Filesize
1.6MB
MD5e10f2fe129e169b2ac1ce9eeb179c15f
SHA1bf6b5ac1c98b04b2b881522b10277efa4acb72b5
SHA2561419f75027c186e8024396999a6841e6bbbcec531d134f8f26491a0fca9715a0
SHA512590e3c4ddb764ae2764b74f9f6283c7b3635c1dfaf42e3c80b90a2bf71b66b2cff2d5f1519c28965dcbf07152766f28fc827f140cedf3547a5985e4d755cac83
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
284KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.3MB
-
Filesize
1.1MB
-
Filesize
1.8MB
-
Filesize
1.8MB