Analysis
-
max time kernel
473s -
max time network
479s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 21:02
Static task
static1
Behavioral task
behavioral1
Sample
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe
Resource
win7
Behavioral task
behavioral2
Sample
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe
Resource
win7
General
-
Target
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe
-
Size
146KB
-
MD5
db3c2530d727bac602e6c41cb3e60562
-
SHA1
0d62d5a5fba84c1e826591f27892466a1cd59257
-
SHA256
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1
-
SHA512
03e25d32a262c88ec2cf9303b7835da93b321a1d2a092531c96df8d95065944250f63c075792ca72b6d2a12d60c492782ba516712fbca0bf3b0239477b6b06e8
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\4086c7426c4288167014\\gennt.exe\"" gennt.exe -
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/1448-0-0x0000000000030000-0x000000000003C000-memory.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 800 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 800 gennt.exe -
Loads dropped DLL 1 IoCs
Processes:
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exepid process 1448 e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gennt.exedescription ioc process File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\H: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\Y: gennt.exe File opened (read-only) \??\B: gennt.exe File opened (read-only) \??\F: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\X: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\R: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\Z: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\G: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1264 1656 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exegennt.exepid process 1264 WerFault.exe 1264 WerFault.exe 1264 WerFault.exe 1264 WerFault.exe 800 gennt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1264 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1264 WerFault.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exegennt.exesecinit.exedescription pid process target process PID 1448 wrote to memory of 800 1448 e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe gennt.exe PID 1448 wrote to memory of 800 1448 e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe gennt.exe PID 1448 wrote to memory of 800 1448 e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe gennt.exe PID 1448 wrote to memory of 800 1448 e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe gennt.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 800 wrote to memory of 1656 800 gennt.exe secinit.exe PID 1656 wrote to memory of 1264 1656 secinit.exe WerFault.exe PID 1656 wrote to memory of 1264 1656 secinit.exe WerFault.exe PID 1656 wrote to memory of 1264 1656 secinit.exe WerFault.exe PID 1656 wrote to memory of 1264 1656 secinit.exe WerFault.exe PID 800 wrote to memory of 1636 800 gennt.exe cmd.exe PID 800 wrote to memory of 1636 800 gennt.exe cmd.exe PID 800 wrote to memory of 1636 800 gennt.exe cmd.exe PID 800 wrote to memory of 1636 800 gennt.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe"C:\Users\Admin\AppData\Local\Temp\e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\ProgramData\4086c7426c4288167014\gennt.exeC:\ProgramData\4086c7426c4288167014\gennt.exe "C:\Users\Admin\AppData\Local\Temp\e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\4086c7426c4288167014\gennt.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1604⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\4086c7426c4288167014}"3⤵PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
db3c2530d727bac602e6c41cb3e60562
SHA10d62d5a5fba84c1e826591f27892466a1cd59257
SHA256e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1
SHA51203e25d32a262c88ec2cf9303b7835da93b321a1d2a092531c96df8d95065944250f63c075792ca72b6d2a12d60c492782ba516712fbca0bf3b0239477b6b06e8
-
MD5
db3c2530d727bac602e6c41cb3e60562
SHA10d62d5a5fba84c1e826591f27892466a1cd59257
SHA256e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1
SHA51203e25d32a262c88ec2cf9303b7835da93b321a1d2a092531c96df8d95065944250f63c075792ca72b6d2a12d60c492782ba516712fbca0bf3b0239477b6b06e8
-
MD5
db3c2530d727bac602e6c41cb3e60562
SHA10d62d5a5fba84c1e826591f27892466a1cd59257
SHA256e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1
SHA51203e25d32a262c88ec2cf9303b7835da93b321a1d2a092531c96df8d95065944250f63c075792ca72b6d2a12d60c492782ba516712fbca0bf3b0239477b6b06e8