Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 20:58
Behavioral task
behavioral1
Sample
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe
Resource
win10v2004-20240419-en
General
-
Target
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe
-
Size
573KB
-
MD5
4de52afe5be73651d8121a799cc08b59
-
SHA1
1e269edfab7f8f84a8f212b2288a0f13aa499af8
-
SHA256
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d
-
SHA512
13a166155992729037a6a8058bd267481013cdb9f768537568e954ccf142e31880b4e59f2cfba9da1420c42d8c2aa6edd0ff90194848db3c713d898c8b16922d
-
SSDEEP
12288:nsaY8rigT27rMf3hGrBvelimccunSH2JGhfZ+1hmohdTyeTqy:B/rxT28EvelFfunSH2wxZ+9hFT/
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/540-24-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet -
UPX dump on OEP (original entry point) 2 IoCs
Processes:
resource yara_rule behavioral2/memory/900-0-0x0000000000400000-0x000000000041C000-memory.dmp UPX behavioral2/memory/900-21-0x0000000000400000-0x000000000041C000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe -
Executes dropped EXE 2 IoCs
Processes:
Îı¾´¦Àí.exeIntelCpHDCPSvc.exepid process 1656 Îı¾´¦Àí.exe 540 IntelCpHDCPSvc.exe -
Processes:
resource yara_rule behavioral2/memory/900-0-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/900-21-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
IntelCpHDCPSvc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wcdsekp.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\IntelCpHDCPSvc.exe" IntelCpHDCPSvc.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IntelCpHDCPSvc.exedescription ioc process File opened (read-only) \??\M: IntelCpHDCPSvc.exe File opened (read-only) \??\S: IntelCpHDCPSvc.exe File opened (read-only) \??\V: IntelCpHDCPSvc.exe File opened (read-only) \??\W: IntelCpHDCPSvc.exe File opened (read-only) \??\Y: IntelCpHDCPSvc.exe File opened (read-only) \??\B: IntelCpHDCPSvc.exe File opened (read-only) \??\G: IntelCpHDCPSvc.exe File opened (read-only) \??\H: IntelCpHDCPSvc.exe File opened (read-only) \??\P: IntelCpHDCPSvc.exe File opened (read-only) \??\X: IntelCpHDCPSvc.exe File opened (read-only) \??\Z: IntelCpHDCPSvc.exe File opened (read-only) \??\K: IntelCpHDCPSvc.exe File opened (read-only) \??\L: IntelCpHDCPSvc.exe File opened (read-only) \??\E: IntelCpHDCPSvc.exe File opened (read-only) \??\I: IntelCpHDCPSvc.exe File opened (read-only) \??\J: IntelCpHDCPSvc.exe File opened (read-only) \??\N: IntelCpHDCPSvc.exe File opened (read-only) \??\O: IntelCpHDCPSvc.exe File opened (read-only) \??\Q: IntelCpHDCPSvc.exe File opened (read-only) \??\R: IntelCpHDCPSvc.exe File opened (read-only) \??\T: IntelCpHDCPSvc.exe File opened (read-only) \??\U: IntelCpHDCPSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
IntelCpHDCPSvc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 IntelCpHDCPSvc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz IntelCpHDCPSvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
IntelCpHDCPSvc.exepid process 540 IntelCpHDCPSvc.exe 540 IntelCpHDCPSvc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Îı¾´¦Àí.exedescription pid process Token: SeDebugPrivilege 1656 Îı¾´¦Àí.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exeIntelCpHDCPSvc.exedescription pid process target process PID 900 wrote to memory of 1656 900 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe Îı¾´¦Àí.exe PID 900 wrote to memory of 1656 900 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe Îı¾´¦Àí.exe PID 900 wrote to memory of 1656 900 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe Îı¾´¦Àí.exe PID 900 wrote to memory of 540 900 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe IntelCpHDCPSvc.exe PID 900 wrote to memory of 540 900 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe IntelCpHDCPSvc.exe PID 900 wrote to memory of 540 900 3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe IntelCpHDCPSvc.exe PID 540 wrote to memory of 64 540 IntelCpHDCPSvc.exe cmd.exe PID 540 wrote to memory of 64 540 IntelCpHDCPSvc.exe cmd.exe PID 540 wrote to memory of 64 540 IntelCpHDCPSvc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe"C:\Users\Admin\AppData\Local\Temp\3fee7f944dc0f23d09628713fe542cfcd70c6192d8fe106c6a5bf10516887f3d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp\Îı¾´¦Àí.exe"C:\Users\Admin\AppData\Local\Temp\Temp\Îı¾´¦Àí.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exe"C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss643⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exeFilesize
412KB
MD5669f0cd8a956fe16c90debc6950ff637
SHA1aebfc5daf7081d47ef11027864f85febe662e664
SHA2560a197cd65dd3a1cbe8becfcb6c2feb6fb23c0259866620602f641d9d110e4c5c
SHA512714fec3975174fe0881d8363007afe7e817317f7781e61d4a845591ad99208ed6c05ffd0d5b0a121173afc18329f01639ef9f3db2b9a7a692bf42feb91311f26
-
C:\Users\Admin\AppData\Local\Temp\Temp\Îı¾´¦Àí.exeFilesize
1.0MB
MD5b16409fa2a8b5126c2e2c6031f4c9c08
SHA18e92523018abc7feca56707679baaa8ea09a6a1a
SHA256d63ee11aa0a1bb6b3832255f01c812d13123adff3a57acfaad0619b58f850b29
SHA512a1f5cf8ac0e4ee4edef4be0173605b7676213fb501d3658a157b6ae19aa7b729acaaa42c0776a2cfaec3cf094bab8118f295d8d2e299636f127e9e5b34b17918
-
memory/540-24-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/900-0-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/900-21-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1656-15-0x0000000000400000-0x000000000050E000-memory.dmpFilesize
1.1MB
-
memory/1656-22-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/1656-23-0x0000000000400000-0x000000000050E000-memory.dmpFilesize
1.1MB