Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 15:40
Static task
static1
Behavioral task
behavioral1
Sample
DocumentPreview.exe
Resource
win7
Behavioral task
behavioral2
Sample
DocumentPreview.exe
Resource
win10v200430
General
-
Target
DocumentPreview.exe
-
Size
146KB
-
MD5
db3c2530d727bac602e6c41cb3e60562
-
SHA1
0d62d5a5fba84c1e826591f27892466a1cd59257
-
SHA256
e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1
-
SHA512
03e25d32a262c88ec2cf9303b7835da93b321a1d2a092531c96df8d95065944250f63c075792ca72b6d2a12d60c492782ba516712fbca0bf3b0239477b6b06e8
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ae99cb89d6941a0b3431\\gennt.exe\"" gennt.exe -
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral2/memory/2904-0-0x00000000001D0000-0x00000000001DC000-memory.dmp buer -
Executes dropped EXE 1 IoCs
pid Process 3720 gennt.exe -
Deletes itself 1 IoCs
pid Process 3720 gennt.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\G: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\X: gennt.exe File opened (read-only) \??\B: gennt.exe File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\H: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\Y: gennt.exe File opened (read-only) \??\Z: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\F: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\R: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3912 4000 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3912 WerFault.exe 3720 gennt.exe 3720 gennt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3912 WerFault.exe Token: SeBackupPrivilege 3912 WerFault.exe Token: SeDebugPrivilege 3912 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2904 wrote to memory of 3720 2904 DocumentPreview.exe 74 PID 2904 wrote to memory of 3720 2904 DocumentPreview.exe 74 PID 2904 wrote to memory of 3720 2904 DocumentPreview.exe 74 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 4000 3720 gennt.exe 76 PID 3720 wrote to memory of 3740 3720 gennt.exe 79 PID 3720 wrote to memory of 3740 3720 gennt.exe 79 PID 3720 wrote to memory of 3740 3720 gennt.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\ProgramData\ae99cb89d6941a0b3431\gennt.exeC:\ProgramData\ae99cb89d6941a0b3431\gennt.exe "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\ae99cb89d6941a0b3431\gennt.exe3⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 3524⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\ae99cb89d6941a0b3431}"3⤵PID:3740
-
-