Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
03-05-2024 20:58
General
-
Target
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe
-
Size
573KB
-
MD5
4de52afe5be73651d8121a799cc08b59
-
SHA1
1e269edfab7f8f84a8f212b2288a0f13aa499af8
-
SHA256
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d
-
SHA512
13a166155992729037a6a8058bd267481013cdb9f768537568e954ccf142e31880b4e59f2cfba9da1420c42d8c2aa6edd0ff90194848db3c713d898c8b16922d
-
SSDEEP
12288:nsaY8rigT27rMf3hGrBvelimccunSH2JGhfZ+1hmohdTyeTqy:B/rxT28EvelFfunSH2wxZ+9hFT/
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
-
UPX dump on OEP (original entry point) 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe"C:\Users\Admin\AppData\Local\Temp\3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp\Îı¾´¦Àí.exe"C:\Users\Admin\AppData\Local\Temp\Temp\Îı¾´¦Àí.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exe"C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss643⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exeFilesize
412KB
MD5669f0cd8a956fe16c90debc6950ff637
SHA1aebfc5daf7081d47ef11027864f85febe662e664
SHA2560a197cd65dd3a1cbe8becfcb6c2feb6fb23c0259866620602f641d9d110e4c5c
SHA512714fec3975174fe0881d8363007afe7e817317f7781e61d4a845591ad99208ed6c05ffd0d5b0a121173afc18329f01639ef9f3db2b9a7a692bf42feb91311f26
-
C:\Users\Admin\AppData\Local\Temp\Temp\Îı¾´¦Àí.exeFilesize
1.0MB
MD5b16409fa2a8b5126c2e2c6031f4c9c08
SHA18e92523018abc7feca56707679baaa8ea09a6a1a
SHA256d63ee11aa0a1bb6b3832255f01c812d13123adff3a57acfaad0619b58f850b29
SHA512a1f5cf8ac0e4ee4edef4be0173605b7676213fb501d3658a157b6ae19aa7b729acaaa42c0776a2cfaec3cf094bab8118f295d8d2e299636f127e9e5b34b17918
-
memory/540-24-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/900-0-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/900-21-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1656-15-0x0000000000400000-0x000000000050E000-memory.dmpFilesize
1.1MB
-
memory/1656-22-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/1656-23-0x0000000000400000-0x000000000050E000-memory.dmpFilesize
1.1MB