Analysis Overview
SHA256
63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
Threat Level: Known bad
The file SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Buer
Buer Loader
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates connected drives
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-07-14 22:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2020-07-14 22:00
Reported
2020-07-14 22:02
Platform
win10v200430
Max time kernel
132s
Max time network
133s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\02c1df6065ba3f800c3c\\gennt.exe\"" | C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe | N/A |
| N/A | N/A | C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe"
C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\02c1df6065ba3f800c3c}"
Network
| Country | Destination | Domain | Proto |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp |
Files
memory/1616-0-0x0000000000C70000-0x0000000000C7C000-memory.dmp
memory/2824-1-0x0000000000000000-mapping.dmp
C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
| MD5 | 9bd3bbc082d0b3446fd456d750a8bbbe |
| SHA1 | d50d739d91ff82ad31a6227ba734b6658f1a577a |
| SHA256 | 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2 |
| SHA512 | c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b |
C:\ProgramData\02c1df6065ba3f800c3c\gennt.exe
| MD5 | 9bd3bbc082d0b3446fd456d750a8bbbe |
| SHA1 | d50d739d91ff82ad31a6227ba734b6658f1a577a |
| SHA256 | 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2 |
| SHA512 | c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b |
memory/2824-4-0x0000000000EA0000-0x0000000000EAC000-memory.dmp
memory/4044-5-0x0000000000000000-mapping.dmp
memory/3884-6-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2020-07-14 22:00
Reported
2020-07-14 22:02
Platform
win7
Max time kernel
112s
Max time network
117s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\a4bfe5892a83f38eafd7\\gennt.exe\"" | C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe"
C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Siggen2.3218.21083.22208.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\a4bfe5892a83f38eafd7}"
Network
| Country | Destination | Domain | Proto |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp |
Files
memory/1044-0-0x0000000000120000-0x000000000012C000-memory.dmp
\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
| MD5 | 9bd3bbc082d0b3446fd456d750a8bbbe |
| SHA1 | d50d739d91ff82ad31a6227ba734b6658f1a577a |
| SHA256 | 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2 |
| SHA512 | c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b |
memory/1296-2-0x0000000000000000-mapping.dmp
C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
| MD5 | 9bd3bbc082d0b3446fd456d750a8bbbe |
| SHA1 | d50d739d91ff82ad31a6227ba734b6658f1a577a |
| SHA256 | 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2 |
| SHA512 | c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b |
memory/1296-4-0x0000000000260000-0x000000000026C000-memory.dmp
C:\ProgramData\a4bfe5892a83f38eafd7\gennt.exe
| MD5 | 9bd3bbc082d0b3446fd456d750a8bbbe |
| SHA1 | d50d739d91ff82ad31a6227ba734b6658f1a577a |
| SHA256 | 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2 |
| SHA512 | c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b |
memory/1508-6-0x0000000000000000-mapping.dmp
memory/1780-7-0x0000000000000000-mapping.dmp