chinese_generic_botnet | 634249ce49bac5e04a5bab89e07aad52d70344f89a28dc3b71c0360a6c1e66ec

General

Target

cmd.exe
Size

944KB
MD5

a76c226baaef6352380bbcf17442f554
SHA1

163d718deec12af5a5764941377c8a59ffb93e84
SHA256

2418a667c78233cbd6cf0899cafe5aade8298e5ebde9cb2977da68258aa83125
SHA512

d6ee88480aeef06af49cfae8b9a6b7359979f59a155870ba80618238c240b797a7a183dadffb68d8ae78d08a8f1c97762847212605ab15368ff5df35c6b6996d
SSDEEP

24576:QjV3kOrOYJLMJ4MzwKCAyRrPCUeQo6py5yG93RdiyH:sV3kuOY9bu0Ay1PaxZlRdXH

Score

10^/10

chinese_generic_botnet botnet discovery persistence

Malware Config

Signatures

Chinese_generic_botnet family
chinese_generic_botnet
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral3/memory/1644-7792-0x0000000000400000-0x000000000053C000-memory.dmp	unk_chinese_botnet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Gkgqgko.exe"	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe
1644	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Gkgqgko.exe	cmd.exe
File opened for modification	C:\Windows\Gkgqgko.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	cmd.exe
1644	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1644	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-0-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1644-1-0x0000000075420000-0x0000000075467000-memory.dmp

Filesize
284KB

Download
memory/1644-503-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-504-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-506-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-508-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-512-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-516-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-520-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-522-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-518-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-514-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-510-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-524-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-526-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-542-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-552-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-564-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-544-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-562-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-560-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-558-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-556-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-554-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-550-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-548-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-546-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-540-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-538-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-536-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-534-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-532-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-530-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-528-0x0000000002250000-0x0000000002361000-memory.dmp

Filesize
1.1MB

Download
memory/1644-7792-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads