Analysis Overview
SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
Threat Level: Known bad
The file 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 was found to be: Known bad.
Malicious Activity Summary
Buer
Modifies WinLogon for persistence
Buer Loader
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-07-06 07:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-07-06 07:30
Reported
2020-07-06 07:36
Platform
win7v200430
Max time kernel
141s
Max time network
140s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\d27b15bf5fed4179aa6c\\gennt.exe\"" | C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\d27b15bf5fed4179aa6c}"
Network
| Country | Destination | Domain | Proto |
| N/A | 66.228.45.248:443 | tcp | |
| N/A | 66.228.45.248:443 | tcp | |
| N/A | 66.228.45.248:443 | tcp |
Files
\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
| MD5 | d91043ee270758fbc29613e993cf17a6 |
| SHA1 | bf3baf3e2d446f65b14d310e0e0a79d4002f9c03 |
| SHA256 | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 |
| SHA512 | 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000 |
\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
| MD5 | d91043ee270758fbc29613e993cf17a6 |
| SHA1 | bf3baf3e2d446f65b14d310e0e0a79d4002f9c03 |
| SHA256 | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 |
| SHA512 | 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000 |
memory/1828-2-0x0000000000000000-mapping.dmp
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
| MD5 | d91043ee270758fbc29613e993cf17a6 |
| SHA1 | bf3baf3e2d446f65b14d310e0e0a79d4002f9c03 |
| SHA256 | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 |
| SHA512 | 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000 |
memory/1868-4-0x0000000000000000-mapping.dmp
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
| MD5 | d91043ee270758fbc29613e993cf17a6 |
| SHA1 | bf3baf3e2d446f65b14d310e0e0a79d4002f9c03 |
| SHA256 | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 |
| SHA512 | 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-07-06 07:30
Reported
2020-07-06 07:36
Platform
win10
Max time kernel
140s
Max time network
126s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\"" | C:\ProgramData\de8a63018a2b5e297469\gennt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\"" | C:\Windows\SysWOW64\secinit.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\de8a63018a2b5e297469\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\de8a63018a2b5e297469\gennt.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\secinit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\secinit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secinit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"
C:\ProgramData\de8a63018a2b5e297469\gennt.exe
C:\ProgramData\de8a63018a2b5e297469\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\de8a63018a2b5e297469\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\de8a63018a2b5e297469}"
Network
| Country | Destination | Domain | Proto |
| N/A | 66.228.45.248:443 | tcp | |
| N/A | 66.228.45.248:443 | tcp | |
| N/A | 66.228.45.248:443 | tcp |
Files
memory/3892-0-0x0000000000000000-mapping.dmp
C:\ProgramData\de8a63018a2b5e297469\gennt.exe
| MD5 | d91043ee270758fbc29613e993cf17a6 |
| SHA1 | bf3baf3e2d446f65b14d310e0e0a79d4002f9c03 |
| SHA256 | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 |
| SHA512 | 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000 |
C:\ProgramData\de8a63018a2b5e297469\gennt.exe
| MD5 | d91043ee270758fbc29613e993cf17a6 |
| SHA1 | bf3baf3e2d446f65b14d310e0e0a79d4002f9c03 |
| SHA256 | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 |
| SHA512 | 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000 |
memory/3996-3-0x0000000000000000-mapping.dmp
memory/1596-4-0x0000000000000000-mapping.dmp