Analysis
-
max time kernel
84s -
max time network
78s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 18:23
Static task
static1
Behavioral task
behavioral1
Sample
DocumentPreview.exe
Resource
win7
Behavioral task
behavioral2
Sample
DocumentPreview.exe
Resource
win10v200430
General
-
Target
DocumentPreview.exe
-
Size
228KB
-
MD5
801b2019d58f05ea3667603d3f2ff822
-
SHA1
ce0c63d9c1dd967d68158156e1c88e731fa25447
-
SHA256
0a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
-
SHA512
8ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\11b675fff06e2edb7bbc\\gennt.exe\"" gennt.exe -
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/1340-0-0x0000000000250000-0x000000000025C000-memory.dmp buer behavioral1/memory/1556-4-0x00000000001E0000-0x00000000001EC000-memory.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 1556 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 1556 gennt.exe -
Loads dropped DLL 1 IoCs
Processes:
DocumentPreview.exepid process 1340 DocumentPreview.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gennt.exedescription ioc process File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\R: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\Y: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\F: gennt.exe File opened (read-only) \??\G: gennt.exe File opened (read-only) \??\H: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\Z: gennt.exe File opened (read-only) \??\B: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\X: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1784 792 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exegennt.exepid process 1784 WerFault.exe 1784 WerFault.exe 1784 WerFault.exe 1784 WerFault.exe 1556 gennt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1784 WerFault.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
DocumentPreview.exegennt.exesecinit.exedescription pid process target process PID 1340 wrote to memory of 1556 1340 DocumentPreview.exe gennt.exe PID 1340 wrote to memory of 1556 1340 DocumentPreview.exe gennt.exe PID 1340 wrote to memory of 1556 1340 DocumentPreview.exe gennt.exe PID 1340 wrote to memory of 1556 1340 DocumentPreview.exe gennt.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 1556 wrote to memory of 792 1556 gennt.exe secinit.exe PID 792 wrote to memory of 1784 792 secinit.exe WerFault.exe PID 792 wrote to memory of 1784 792 secinit.exe WerFault.exe PID 792 wrote to memory of 1784 792 secinit.exe WerFault.exe PID 792 wrote to memory of 1784 792 secinit.exe WerFault.exe PID 1556 wrote to memory of 1632 1556 gennt.exe cmd.exe PID 1556 wrote to memory of 1632 1556 gennt.exe cmd.exe PID 1556 wrote to memory of 1632 1556 gennt.exe cmd.exe PID 1556 wrote to memory of 1632 1556 gennt.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\ProgramData\11b675fff06e2edb7bbc\gennt.exeC:\ProgramData\11b675fff06e2edb7bbc\gennt.exe "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\11b675fff06e2edb7bbc\gennt.exe3⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 1444⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\11b675fff06e2edb7bbc}"3⤵PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
801b2019d58f05ea3667603d3f2ff822
SHA1ce0c63d9c1dd967d68158156e1c88e731fa25447
SHA2560a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
SHA5128ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a
-
MD5
801b2019d58f05ea3667603d3f2ff822
SHA1ce0c63d9c1dd967d68158156e1c88e731fa25447
SHA2560a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
SHA5128ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a
-
MD5
801b2019d58f05ea3667603d3f2ff822
SHA1ce0c63d9c1dd967d68158156e1c88e731fa25447
SHA2560a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
SHA5128ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a