Analysis
-
max time kernel
140s -
max time network
104s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
df6e1e72261d4741c7ab841b098ab497.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
df6e1e72261d4741c7ab841b098ab497.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
df6e1e72261d4741c7ab841b098ab497.exe
-
Size
151KB
-
MD5
df6e1e72261d4741c7ab841b098ab497
-
SHA1
f3f84f9a10315f95a73871a53452cf38ef32d9ac
-
SHA256
2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
-
SHA512
70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\5dc6e8761a7428be2fa5\\gennt.exe\"" gennt.exe -
Executes dropped EXE 1 IoCs
pid Process 1236 gennt.exe -
Deletes itself 1 IoCs
pid Process 1236 gennt.exe -
Loads dropped DLL 2 IoCs
pid Process 1424 df6e1e72261d4741c7ab841b098ab497.exe 1424 df6e1e72261d4741c7ab841b098ab497.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\X: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\Y: gennt.exe File opened (read-only) \??\Z: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\R: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\F: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\G: gennt.exe File opened (read-only) \??\H: gennt.exe File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\B: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1236 gennt.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1424 wrote to memory of 1236 1424 df6e1e72261d4741c7ab841b098ab497.exe 26 PID 1424 wrote to memory of 1236 1424 df6e1e72261d4741c7ab841b098ab497.exe 26 PID 1424 wrote to memory of 1236 1424 df6e1e72261d4741c7ab841b098ab497.exe 26 PID 1424 wrote to memory of 1236 1424 df6e1e72261d4741c7ab841b098ab497.exe 26 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1760 1236 gennt.exe 27 PID 1236 wrote to memory of 1576 1236 gennt.exe 28 PID 1236 wrote to memory of 1576 1236 gennt.exe 28 PID 1236 wrote to memory of 1576 1236 gennt.exe 28 PID 1236 wrote to memory of 1576 1236 gennt.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exeC:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe "C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe3⤵PID:1760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\5dc6e8761a7428be2fa5}"3⤵PID:1576
-
-