Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14-07-2020 18:23
Static task
static1
Behavioral task
behavioral1
Sample
DocumentPreview.exe
Resource
win7
Behavioral task
behavioral2
Sample
DocumentPreview.exe
Resource
win10v200430
General
-
Target
DocumentPreview.exe
-
Size
228KB
-
MD5
801b2019d58f05ea3667603d3f2ff822
-
SHA1
ce0c63d9c1dd967d68158156e1c88e731fa25447
-
SHA256
0a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
-
SHA512
8ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\7fccf73e918d8f1a3117\\gennt.exe\"" gennt.exe -
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral2/memory/2564-0-0x0000000000510000-0x000000000051C000-memory.dmp buer behavioral2/memory/2432-4-0x0000000000480000-0x000000000048C000-memory.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 2432 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 2432 gennt.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gennt.exedescription ioc process File opened (read-only) \??\X: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\R: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\Z: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\F: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\B: gennt.exe File opened (read-only) \??\H: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\G: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\Y: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3884 3000 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exegennt.exepid process 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 3884 WerFault.exe 2432 gennt.exe 2432 gennt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3884 WerFault.exe Token: SeBackupPrivilege 3884 WerFault.exe Token: SeDebugPrivilege 3884 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
DocumentPreview.exegennt.exedescription pid process target process PID 2564 wrote to memory of 2432 2564 DocumentPreview.exe gennt.exe PID 2564 wrote to memory of 2432 2564 DocumentPreview.exe gennt.exe PID 2564 wrote to memory of 2432 2564 DocumentPreview.exe gennt.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3000 2432 gennt.exe secinit.exe PID 2432 wrote to memory of 3812 2432 gennt.exe cmd.exe PID 2432 wrote to memory of 3812 2432 gennt.exe cmd.exe PID 2432 wrote to memory of 3812 2432 gennt.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\ProgramData\7fccf73e918d8f1a3117\gennt.exeC:\ProgramData\7fccf73e918d8f1a3117\gennt.exe "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\7fccf73e918d8f1a3117\gennt.exe3⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 4204⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\7fccf73e918d8f1a3117}"3⤵PID:3812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
801b2019d58f05ea3667603d3f2ff822
SHA1ce0c63d9c1dd967d68158156e1c88e731fa25447
SHA2560a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
SHA5128ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a
-
MD5
801b2019d58f05ea3667603d3f2ff822
SHA1ce0c63d9c1dd967d68158156e1c88e731fa25447
SHA2560a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
SHA5128ef21833c493cb7bfad632df1842216dbcf7fa54fd87cb065d8d32fc120635b802e93481128f01d53bb7b5f32fa4d50122b4099f38cc348f9153a3b43be6131a