Analysis
-
max time kernel
1762s -
max time network
1767s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 20:52
Static task
static1
Behavioral task
behavioral1
Sample
Doc-Print.exe
Resource
win7
General
-
Target
Doc-Print.exe
-
Size
368KB
-
MD5
fcc9314bc996fa04721aa469e1d982df
-
SHA1
c306f42bd091c86328651e30c15ac49a7ebb02c4
-
SHA256
e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
-
SHA512
fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Extracted
metasploit
windows/download_exec
http://31.14.40.55:80/YRDm
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\201d0b90eb65c4e04a98\\gennt.exe\"" gennt.exe -
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/284-0-0x0000000000330000-0x000000000033C000-memory.dmp buer behavioral1/memory/1852-6-0x0000000000280000-0x000000000028C000-memory.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 1852 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 1852 gennt.exe -
Loads dropped DLL 3 IoCs
Processes:
Doc-Print.exeregsvr32.exepid process 284 Doc-Print.exe 284 Doc-Print.exe 1468 regsvr32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gennt.exedescription ioc process File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\Y: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\X: gennt.exe File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\G: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\F: gennt.exe File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\R: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\B: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\H: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\Z: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1912 1868 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WerFault.exegennt.exepid process 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1912 WerFault.exe 1852 gennt.exe 1852 gennt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1912 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1912 WerFault.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Doc-Print.exegennt.exepid process 284 Doc-Print.exe 284 Doc-Print.exe 1852 gennt.exe 1852 gennt.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Doc-Print.exegennt.exesecinit.exedescription pid process target process PID 284 wrote to memory of 1852 284 Doc-Print.exe gennt.exe PID 284 wrote to memory of 1852 284 Doc-Print.exe gennt.exe PID 284 wrote to memory of 1852 284 Doc-Print.exe gennt.exe PID 284 wrote to memory of 1852 284 Doc-Print.exe gennt.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1852 wrote to memory of 1868 1852 gennt.exe secinit.exe PID 1868 wrote to memory of 1912 1868 secinit.exe WerFault.exe PID 1868 wrote to memory of 1912 1868 secinit.exe WerFault.exe PID 1868 wrote to memory of 1912 1868 secinit.exe WerFault.exe PID 1868 wrote to memory of 1912 1868 secinit.exe WerFault.exe PID 1852 wrote to memory of 1824 1852 gennt.exe cmd.exe PID 1852 wrote to memory of 1824 1852 gennt.exe cmd.exe PID 1852 wrote to memory of 1824 1852 gennt.exe cmd.exe PID 1852 wrote to memory of 1824 1852 gennt.exe cmd.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe PID 1852 wrote to memory of 1468 1852 gennt.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284 -
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exeC:\ProgramData\201d0b90eb65c4e04a98\gennt.exe "C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\201d0b90eb65c4e04a98\gennt.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\201d0b90eb65c4e04a98}"3⤵PID:1824
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll"3⤵
- Loads dropped DLL
PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fcc9314bc996fa04721aa469e1d982df
SHA1c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3
-
MD5
fcc9314bc996fa04721aa469e1d982df
SHA1c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3
-
MD5
5c4a26fd3d7bd21eaf316e2f48cc39a3
SHA180e494e385a1b2d3581ce8803d14911af296ff7e
SHA2566ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c
SHA51265a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368
-
MD5
fcc9314bc996fa04721aa469e1d982df
SHA1c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3
-
MD5
fcc9314bc996fa04721aa469e1d982df
SHA1c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3
-
MD5
5c4a26fd3d7bd21eaf316e2f48cc39a3
SHA180e494e385a1b2d3581ce8803d14911af296ff7e
SHA2566ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c
SHA51265a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368