Malware Analysis Report

2024-11-13 16:48

Sample ID 200714-dxfl3nlqrj
Target ReviewDocument.exe
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2

Threat Level: Known bad

The file ReviewDocument.exe was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Buer

Modifies WinLogon for persistence

Buer Loader

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-07-14 16:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-07-14 16:36

Reported

2020-07-14 16:38

Platform

win7v200430

Max time kernel

138s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\327dc086d52122b7ba88\\gennt.exe\"" C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\327dc086d52122b7ba88\gennt.exe
PID 1312 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\327dc086d52122b7ba88\gennt.exe
PID 1312 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\327dc086d52122b7ba88\gennt.exe
PID 1312 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\327dc086d52122b7ba88\gennt.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 1848 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1740 wrote to memory of 520 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 520 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 520 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 520 N/A C:\ProgramData\327dc086d52122b7ba88\gennt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe

"C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe"

C:\ProgramData\327dc086d52122b7ba88\gennt.exe

C:\ProgramData\327dc086d52122b7ba88\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\327dc086d52122b7ba88\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\327dc086d52122b7ba88}"

Network

Country Destination Domain Proto
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp

Files

memory/1312-0-0x00000000001A0000-0x00000000001AC000-memory.dmp

\ProgramData\327dc086d52122b7ba88\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/1740-2-0x0000000000000000-mapping.dmp

C:\ProgramData\327dc086d52122b7ba88\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

C:\ProgramData\327dc086d52122b7ba88\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/1848-6-0x0000000000000000-mapping.dmp

memory/520-7-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-07-14 16:36

Reported

2020-07-14 16:38

Platform

win10

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\fd8fd7c8e06052eddca4\\gennt.exe\"" C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A
N/A N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe
PID 3820 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe
PID 3820 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 564 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2836 wrote to memory of 796 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 796 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 796 N/A C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe

"C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe"

C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe

C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\fd8fd7c8e06052eddca4}"

Network

Country Destination Domain Proto
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp

Files

memory/3820-0-0x0000000000E20000-0x0000000000E2C000-memory.dmp

memory/2836-1-0x0000000000000000-mapping.dmp

C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe

MD5 9bd3bbc082d0b3446fd456d750a8bbbe
SHA1 d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512 c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

memory/2836-4-0x00000000010B0000-0x00000000010BC000-memory.dmp

memory/564-5-0x0000000000000000-mapping.dmp

memory/796-6-0x0000000000000000-mapping.dmp