chinese_generic_botnet | d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 14:33

Target

d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe
Size

1.8MB
MD5

9762316a2ae09f9d49f6939797134cfe
SHA1

3f56aa1e0c51623e2d987e059371ffd4ed2898e7
SHA256

d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c
SHA512

71e4bd25f145cc5d157bbbb708bed203a9bc3cc42cfab6c98cd7030aa5d378d710c1287bba566fbb3eedec54244fb2caf963d53634b13e0024595016dd7613bf
SSDEEP

24576:Tfc9CZz6Z5LFSZWSb05+RsR2QymNoO9A6UfmzkZF5IyPQjQhTyzCN:UCZWZ5MZWimbOMpCN

Score

10^/10

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/3036-0-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral1/memory/3036-22-0x0000000000400000-0x00000000005C5000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

Processes:

Qikomua.exeQikomua.exe

pid process

2556 Qikomua.exe
2540 Qikomua.exe
Loads dropped DLL 7 IoCs

Processes:

Qikomua.exeQikomua.exe

pid process

2556 Qikomua.exe
2556 Qikomua.exe
2556 Qikomua.exe
2556 Qikomua.exe
2540 Qikomua.exe
2540 Qikomua.exe
2540 Qikomua.exe

pid	process
2556	Qikomua.exe
2540	Qikomua.exe

Drops file in Program Files directory 2 IoCs

Processes:

d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Qikomua.exe	d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe
File created	C:\Program Files (x86)\Qikomua.exe	d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe

pid process

3036 d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exeQikomua.exeQikomua.exe

pid process

3036 d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe
2556 Qikomua.exe
2540 Qikomua.exe

pid	process
3036	d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Qikomua.exe

description	pid	process	target process
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe
PID 2556 wrote to memory of 2540	2556	Qikomua.exe	Qikomua.exe

C:\Program Files (x86)\Qikomua.exe

Filesize
1.8MB

MD5
9762316a2ae09f9d49f6939797134cfe

SHA1
3f56aa1e0c51623e2d987e059371ffd4ed2898e7

SHA256
d24dee95e3a97ae5715108594d4256ba4b177b7204580141795104c2d1c9386c

SHA512
71e4bd25f145cc5d157bbbb708bed203a9bc3cc42cfab6c98cd7030aa5d378d710c1287bba566fbb3eedec54244fb2caf963d53634b13e0024595016dd7613bf

Download Submit
memory/3036-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3036-22-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download