Malware Analysis Report

2024-11-13 16:48

Sample ID 200714-p21eh6tdy2
Target Doc-Print.exe
SHA256 e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
Tags
buer metasploit backdoor loader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529

Threat Level: Known bad

The file Doc-Print.exe was found to be: Known bad.

Malicious Activity Summary

buer metasploit backdoor loader persistence trojan

Modifies WinLogon for persistence

Buer

MetaSploit

Buer Loader

Executes dropped EXE

Loads dropped DLL

Deletes itself

Enumerates connected drives

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-07-14 20:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-07-14 20:52

Reported

2020-07-14 21:23

Platform

win7

Max time kernel

1762s

Max time network

1767s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"

Signatures

Buer

loader buer

MetaSploit

trojan backdoor metasploit

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\201d0b90eb65c4e04a98\\gennt.exe\"" C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\secinit.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 284 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
PID 284 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
PID 284 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
PID 284 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1852 wrote to memory of 1868 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1868 wrote to memory of 1912 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1868 wrote to memory of 1912 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1868 wrote to memory of 1912 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1868 wrote to memory of 1912 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\WerFault.exe
PID 1852 wrote to memory of 1824 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1824 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1824 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1824 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1468 N/A C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe

"C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"

C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe

C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe "C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 196

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\201d0b90eb65c4e04a98}"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" "C:\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll"

Network

Country Destination Domain Proto
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:8080 162.244.81.87 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 162.244.81.87:443 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp
N/A 31.14.40.55:80 31.14.40.55 tcp

Files

memory/284-0-0x0000000000330000-0x000000000033C000-memory.dmp

\ProgramData\201d0b90eb65c4e04a98\gennt.exe

MD5 fcc9314bc996fa04721aa469e1d982df
SHA1 c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256 e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512 fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3

\ProgramData\201d0b90eb65c4e04a98\gennt.exe

MD5 fcc9314bc996fa04721aa469e1d982df
SHA1 c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256 e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512 fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3

memory/1852-3-0x0000000000000000-mapping.dmp

C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe

MD5 fcc9314bc996fa04721aa469e1d982df
SHA1 c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256 e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512 fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3

C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe

MD5 fcc9314bc996fa04721aa469e1d982df
SHA1 c306f42bd091c86328651e30c15ac49a7ebb02c4
SHA256 e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
SHA512 fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3

memory/1852-6-0x0000000000280000-0x000000000028C000-memory.dmp

memory/1868-7-0x0000000000000000-mapping.dmp

memory/1912-8-0x0000000000000000-mapping.dmp

memory/1912-9-0x0000000001F00000-0x0000000001F11000-memory.dmp

memory/1868-10-0x0000000000000000-mapping.dmp

memory/1868-11-0x0000000000000000-mapping.dmp

memory/1912-12-0x00000000025C0000-0x00000000025D1000-memory.dmp

memory/1824-13-0x0000000000000000-mapping.dmp

memory/1468-14-0x0000000000000000-mapping.dmp

C:\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll

MD5 5c4a26fd3d7bd21eaf316e2f48cc39a3
SHA1 80e494e385a1b2d3581ce8803d14911af296ff7e
SHA256 6ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c
SHA512 65a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368

\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll

MD5 5c4a26fd3d7bd21eaf316e2f48cc39a3
SHA1 80e494e385a1b2d3581ce8803d14911af296ff7e
SHA256 6ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c
SHA512 65a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368

memory/1468-17-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/1468-18-0x000000006BAC0000-0x000000006BACB000-memory.dmp

memory/1468-19-0x00000000008E0000-0x00000000008E1000-memory.dmp