Analysis
-
max time kernel
136s -
max time network
136s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 05:41
Static task
static1
Behavioral task
behavioral1
Sample
data.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
data.bin.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
data.bin.exe
-
Size
119KB
-
MD5
f500854e3cf9556688203a3d869b7d6d
-
SHA1
281aab2eb26f31cf2255e2f5a467fc5eebda8df8
-
SHA256
471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
-
SHA512
bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exegennt.exepid process 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 2500 gennt.exe 2500 gennt.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ac63c1c868e87043fad8\\gennt.exe\"" gennt.exe -
Enumerates connected drives 3 TTPs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
data.bin.exegennt.exedescription pid process target process PID 724 wrote to memory of 2500 724 data.bin.exe gennt.exe PID 724 wrote to memory of 2500 724 data.bin.exe gennt.exe PID 724 wrote to memory of 2500 724 data.bin.exe gennt.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 2764 2500 gennt.exe secinit.exe PID 2500 wrote to memory of 984 2500 gennt.exe cmd.exe PID 2500 wrote to memory of 984 2500 gennt.exe cmd.exe PID 2500 wrote to memory of 984 2500 gennt.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 2500 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 2500 gennt.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3888 2764 WerFault.exe secinit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3888 WerFault.exe Token: SeBackupPrivilege 3888 WerFault.exe Token: SeDebugPrivilege 3888 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\data.bin.exe"C:\Users\Admin\AppData\Local\Temp\data.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ac63c1c868e87043fad8\gennt.exeC:\ProgramData\ac63c1c868e87043fad8\gennt.exe "C:\Users\Admin\AppData\Local\Temp\data.bin.exe" ensgJJ2⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Deletes itself
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\ac63c1c868e87043fad8\gennt.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 6644⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\ac63c1c868e87043fad8}"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ac63c1c868e87043fad8\gennt.exe
-
C:\ProgramData\ac63c1c868e87043fad8\gennt.exe
-
memory/984-10-0x0000000000000000-mapping.dmp
-
memory/2500-0-0x0000000000000000-mapping.dmp
-
memory/2764-3-0x0000000000000000-mapping.dmp
-
memory/2764-5-0x0000000000000000-mapping.dmp
-
memory/2764-6-0x0000000000000000-mapping.dmp
-
memory/2764-7-0x0000000000000000-mapping.dmp
-
memory/2764-8-0x0000000000000000-mapping.dmp
-
memory/2764-9-0x0000000000000000-mapping.dmp
-
memory/3888-4-0x00000000043A0000-0x00000000043A1000-memory.dmpFilesize
4KB
-
memory/3888-11-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB