Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:41
Static task
static1
Behavioral task
behavioral1
Sample
data.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
data.bin.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
data.bin.exe
-
Size
119KB
-
MD5
f500854e3cf9556688203a3d869b7d6d
-
SHA1
281aab2eb26f31cf2255e2f5a467fc5eebda8df8
-
SHA256
471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
-
SHA512
bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 316 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 316 gennt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1848 WerFault.exe -
Enumerates connected drives 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
data.bin.exepid process 900 data.bin.exe 900 data.bin.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
data.bin.exegennt.exesecinit.exedescription pid process target process PID 900 wrote to memory of 316 900 data.bin.exe gennt.exe PID 900 wrote to memory of 316 900 data.bin.exe gennt.exe PID 900 wrote to memory of 316 900 data.bin.exe gennt.exe PID 900 wrote to memory of 316 900 data.bin.exe gennt.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 316 wrote to memory of 1596 316 gennt.exe secinit.exe PID 1596 wrote to memory of 1848 1596 secinit.exe WerFault.exe PID 1596 wrote to memory of 1848 1596 secinit.exe WerFault.exe PID 1596 wrote to memory of 1848 1596 secinit.exe WerFault.exe PID 1596 wrote to memory of 1848 1596 secinit.exe WerFault.exe PID 316 wrote to memory of 1664 316 gennt.exe cmd.exe PID 316 wrote to memory of 1664 316 gennt.exe cmd.exe PID 316 wrote to memory of 1664 316 gennt.exe cmd.exe PID 316 wrote to memory of 1664 316 gennt.exe cmd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1848 1596 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exegennt.exepid process 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 316 gennt.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\edce5d3f32661210aedc\\gennt.exe\"" gennt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\data.bin.exe"C:\Users\Admin\AppData\Local\Temp\data.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\edce5d3f32661210aedc\gennt.exeC:\ProgramData\edce5d3f32661210aedc\gennt.exe "C:\Users\Admin\AppData\Local\Temp\data.bin.exe" ensgJJ2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\edce5d3f32661210aedc\gennt.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 2804⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\edce5d3f32661210aedc}"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\edce5d3f32661210aedc\gennt.exe
-
C:\ProgramData\edce5d3f32661210aedc\gennt.exe
-
\ProgramData\edce5d3f32661210aedc\gennt.exe
-
\ProgramData\edce5d3f32661210aedc\gennt.exe
-
memory/316-2-0x0000000000000000-mapping.dmp
-
memory/1596-5-0x0000000000000000-mapping.dmp
-
memory/1596-8-0x0000000000000000-mapping.dmp
-
memory/1596-9-0x0000000000000000-mapping.dmp
-
memory/1664-11-0x0000000000000000-mapping.dmp
-
memory/1848-6-0x0000000000000000-mapping.dmp
-
memory/1848-7-0x0000000002120000-0x0000000002131000-memory.dmpFilesize
68KB
-
memory/1848-10-0x0000000002690000-0x00000000026A1000-memory.dmpFilesize
68KB