Analysis Overview
SHA256
2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
Threat Level: Known bad
The file df6e1e72261d4741c7ab841b098ab497.exe was found to be: Known bad.
Malicious Activity Summary
Buer
Modifies WinLogon for persistence
Executes dropped EXE
Loads dropped DLL
Deletes itself
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-07-07 08:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-07-07 08:32
Reported
2020-07-07 08:34
Platform
win7
Max time kernel
140s
Max time network
104s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\5dc6e8761a7428be2fa5\\gennt.exe\"" | C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe
"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"
C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe "C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\5dc6e8761a7428be2fa5}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | mesoplano.com | udp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
Files
\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
| MD5 | df6e1e72261d4741c7ab841b098ab497 |
| SHA1 | f3f84f9a10315f95a73871a53452cf38ef32d9ac |
| SHA256 | 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b |
| SHA512 | 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b |
\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
| MD5 | df6e1e72261d4741c7ab841b098ab497 |
| SHA1 | f3f84f9a10315f95a73871a53452cf38ef32d9ac |
| SHA256 | 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b |
| SHA512 | 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b |
memory/1236-2-0x0000000000000000-mapping.dmp
C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
| MD5 | df6e1e72261d4741c7ab841b098ab497 |
| SHA1 | f3f84f9a10315f95a73871a53452cf38ef32d9ac |
| SHA256 | 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b |
| SHA512 | 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b |
C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
| MD5 | df6e1e72261d4741c7ab841b098ab497 |
| SHA1 | f3f84f9a10315f95a73871a53452cf38ef32d9ac |
| SHA256 | 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b |
| SHA512 | 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b |
memory/1760-5-0x0000000000000000-mapping.dmp
memory/1576-6-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-07-07 08:32
Reported
2020-07-07 08:34
Platform
win10
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\60c85a4d4ecb90012faa\\gennt.exe\"" | C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\60c85a4d4ecb90012faa\\gennt.exe\"" | C:\Windows\SysWOW64\secinit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe | N/A |
| N/A | N/A | C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secinit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secinit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe
"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"
C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe "C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\60c85a4d4ecb90012faa}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\60c85a4d4ecb90012faa}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | mesoplano.com | udp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 67.26.111.254:80 | ctldl.windowsupdate.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | mesoplano.com | tcp |
| N/A | 84.38.181.209:443 | tcp |
Files
memory/2116-0-0x0000000000000000-mapping.dmp
C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
| MD5 | df6e1e72261d4741c7ab841b098ab497 |
| SHA1 | f3f84f9a10315f95a73871a53452cf38ef32d9ac |
| SHA256 | 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b |
| SHA512 | 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b |
C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
| MD5 | df6e1e72261d4741c7ab841b098ab497 |
| SHA1 | f3f84f9a10315f95a73871a53452cf38ef32d9ac |
| SHA256 | 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b |
| SHA512 | 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b |
memory/764-3-0x0000000000000000-mapping.dmp
memory/3720-4-0x0000000000000000-mapping.dmp
memory/484-5-0x0000000000000000-mapping.dmp