Malware Analysis Report

2024-11-13 16:49

Sample ID 200706-e9vg7tb8zn
Target 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

Threat Level: Known bad

The file 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083 was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Buer

Modifies WinLogon for persistence

Buer Loader

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-07-06 07:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-07-06 07:30

Reported

2020-07-06 07:36

Platform

win7v200430

Max time kernel

141s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\d27b15bf5fed4179aa6c\\gennt.exe\"" C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
PID 1528 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
PID 1528 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
PID 1528 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
PID 1828 wrote to memory of 1836 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1828 wrote to memory of 1836 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1828 wrote to memory of 1836 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1828 wrote to memory of 1836 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1828 wrote to memory of 1868 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1868 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1868 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1868 N/A C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe

"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\d27b15bf5fed4179aa6c}"

Network

Country Destination Domain Proto
N/A 66.228.45.248:443 tcp
N/A 66.228.45.248:443 tcp
N/A 66.228.45.248:443 tcp

Files

\ProgramData\d27b15bf5fed4179aa6c\gennt.exe

MD5 d91043ee270758fbc29613e993cf17a6
SHA1 bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

\ProgramData\d27b15bf5fed4179aa6c\gennt.exe

MD5 d91043ee270758fbc29613e993cf17a6
SHA1 bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

memory/1828-2-0x0000000000000000-mapping.dmp

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe

MD5 d91043ee270758fbc29613e993cf17a6
SHA1 bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

memory/1868-4-0x0000000000000000-mapping.dmp

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe

MD5 d91043ee270758fbc29613e993cf17a6
SHA1 bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Analysis: behavioral2

Detonation Overview

Submitted

2020-07-06 07:30

Reported

2020-07-06 07:36

Platform

win10

Max time kernel

140s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\"" C:\ProgramData\de8a63018a2b5e297469\gennt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\"" C:\Windows\SysWOW64\secinit.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\secinit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\secinit.exe N/A
N/A N/A C:\Windows\SysWOW64\secinit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\de8a63018a2b5e297469\gennt.exe
PID 3148 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\de8a63018a2b5e297469\gennt.exe
PID 3148 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe C:\ProgramData\de8a63018a2b5e297469\gennt.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3892 wrote to memory of 3996 N/A C:\ProgramData\de8a63018a2b5e297469\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 3996 wrote to memory of 1596 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1596 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1596 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe

"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"

C:\ProgramData\de8a63018a2b5e297469\gennt.exe

C:\ProgramData\de8a63018a2b5e297469\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\de8a63018a2b5e297469\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\de8a63018a2b5e297469}"

Network

Country Destination Domain Proto
N/A 66.228.45.248:443 tcp
N/A 66.228.45.248:443 tcp
N/A 66.228.45.248:443 tcp

Files

memory/3892-0-0x0000000000000000-mapping.dmp

C:\ProgramData\de8a63018a2b5e297469\gennt.exe

MD5 d91043ee270758fbc29613e993cf17a6
SHA1 bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

C:\ProgramData\de8a63018a2b5e297469\gennt.exe

MD5 d91043ee270758fbc29613e993cf17a6
SHA1 bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512 1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

memory/3996-3-0x0000000000000000-mapping.dmp

memory/1596-4-0x0000000000000000-mapping.dmp