chinese_generic_botnet | 5f830899b3b1cb680b762b896862e87fb11e68526fda9568d1e135160014413c

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210808-090104.exe
Size

312KB
MD5

db3634519c2d504f67f0ac5518d4c208
SHA1

752eaa1a95d1179ac825119d27c006ddeda41d6b
SHA256

69d7973f1002d543c7e1935b95a4493ec29d0c21d3dc5e50d2f477868a914f70
SHA512

3cca550e3fc9360f97b04c64172daface1e2a5f2b6508fc141f15214bf9e668a88e81ed487b40d926a944e0c71d35f2f97fb2066a66dfb4dab2f264410b6d751
SSDEEP

6144:JEeHlmxEW0qLFWfs/ZnGWvAljyyqI7rRgdixjTwa/RxJg:JTgTZWk/oWvARy9oRxHY

Score

10^/10

chinese_generic_botnet botnet discovery

Malware Config

Signatures

Chinese_generic_botnet family
chinese_generic_botnet
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 4 IoCs

botnet

resource	yara_rule
behavioral5/memory/1292-4-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral5/memory/1292-10-0x0000000000400000-0x00000000004BE000-memory.dmp	unk_chinese_botnet
behavioral5/memory/1292-9-0x0000000000400000-0x0000000002C84000-memory.dmp	unk_chinese_botnet
behavioral5/memory/2768-27-0x0000000000400000-0x0000000002C84000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
2768	Sxazswv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Sxazswv.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Qkiuak\Sxazswv.exe	mixazed_20210808-090104.exe
File opened for modification	C:\Program Files (x86)\Microsoft Qkiuak\Sxazswv.exe	mixazed_20210808-090104.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sxazswv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixazed_20210808-090104.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37B94B18-9FF6-43A3-B03F-D94BA6ACE400}\WpadDecision = "0"	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37B94B18-9FF6-43A3-B03F-D94BA6ACE400}\e2-ce-35-6a-58-62	Sxazswv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-ce-35-6a-58-62\WpadDecisionTime = 20c009f7b833db01	Sxazswv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-ce-35-6a-58-62\WpadDecision = "0"	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Sxazswv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Sxazswv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Sxazswv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37B94B18-9FF6-43A3-B03F-D94BA6ACE400}	Sxazswv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37B94B18-9FF6-43A3-B03F-D94BA6ACE400}\WpadDecisionReason = "1"	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Sxazswv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Sxazswv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Sxazswv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37B94B18-9FF6-43A3-B03F-D94BA6ACE400}\WpadNetworkName = "Network 3"	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-ce-35-6a-58-62	Sxazswv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Sxazswv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37B94B18-9FF6-43A3-B03F-D94BA6ACE400}\WpadDecisionTime = 20c009f7b833db01	Sxazswv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-ce-35-6a-58-62\WpadDecisionReason = "1"	Sxazswv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Sxazswv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Sxazswv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Sxazswv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Sxazswv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	mixazed_20210808-090104.exe
2768	Sxazswv.exe

C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-090104.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-090104.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Program Files (x86)\Microsoft Qkiuak\Sxazswv.exe
"C:\Program Files (x86)\Microsoft Qkiuak\Sxazswv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Qkiuak\Sxazswv.exe

Filesize
1.3MB

MD5
9d7b66aa1c485455c10b29b08ee97168

SHA1
8970a12998b3dcb561e50c25bd8be17e3a179e4c

SHA256
cec3a39269f08cb4f4925132cadf99631cb9f36f4a8aee5c5ab8c22ca2643ee0

SHA512
6ec22c0ef6e8d031f34f83fb4aa05b544c42dc627716bff5fcb4f2471ca055c40fee1e4270fd4f253bf200ed2acdbd5409045abbf0836e90d1563968b8b514cb

Download Submit
memory/1292-10-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1292-3-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1292-4-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1292-7-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/1292-8-0x0000000002C90000-0x0000000002D4C000-memory.dmp

Filesize
752KB

Download
memory/1292-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/1292-9-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/1292-2-0x0000000002C90000-0x0000000002D4C000-memory.dmp

Filesize
752KB

Download
memory/2768-20-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/2768-21-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/2768-22-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/2768-27-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download