Analysis Overview
SHA256
e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
Threat Level: Known bad
The file Doc-Print.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Buer
MetaSploit
Buer Loader
Executes dropped EXE
Loads dropped DLL
Deletes itself
Enumerates connected drives
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-07-14 20:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-07-14 20:52
Reported
2020-07-14 21:23
Platform
win7
Max time kernel
1762s
Max time network
1767s
Command Line
Signatures
Buer
MetaSploit
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\201d0b90eb65c4e04a98\\gennt.exe\"" | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\secinit.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
| N/A | N/A | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe | N/A |
| N/A | N/A | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
| N/A | N/A | C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe
"C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe "C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 196
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\201d0b90eb65c4e04a98}"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll"
Network
| Country | Destination | Domain | Proto |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:8080 | 162.244.81.87 | tcp |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
Files
memory/284-0-0x0000000000330000-0x000000000033C000-memory.dmp
\ProgramData\201d0b90eb65c4e04a98\gennt.exe
| MD5 | fcc9314bc996fa04721aa469e1d982df |
| SHA1 | c306f42bd091c86328651e30c15ac49a7ebb02c4 |
| SHA256 | e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529 |
| SHA512 | fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3 |
\ProgramData\201d0b90eb65c4e04a98\gennt.exe
| MD5 | fcc9314bc996fa04721aa469e1d982df |
| SHA1 | c306f42bd091c86328651e30c15ac49a7ebb02c4 |
| SHA256 | e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529 |
| SHA512 | fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3 |
memory/1852-3-0x0000000000000000-mapping.dmp
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
| MD5 | fcc9314bc996fa04721aa469e1d982df |
| SHA1 | c306f42bd091c86328651e30c15ac49a7ebb02c4 |
| SHA256 | e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529 |
| SHA512 | fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3 |
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exe
| MD5 | fcc9314bc996fa04721aa469e1d982df |
| SHA1 | c306f42bd091c86328651e30c15ac49a7ebb02c4 |
| SHA256 | e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529 |
| SHA512 | fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3 |
memory/1852-6-0x0000000000280000-0x000000000028C000-memory.dmp
memory/1868-7-0x0000000000000000-mapping.dmp
memory/1912-8-0x0000000000000000-mapping.dmp
memory/1912-9-0x0000000001F00000-0x0000000001F11000-memory.dmp
memory/1868-10-0x0000000000000000-mapping.dmp
memory/1868-11-0x0000000000000000-mapping.dmp
memory/1912-12-0x00000000025C0000-0x00000000025D1000-memory.dmp
memory/1824-13-0x0000000000000000-mapping.dmp
memory/1468-14-0x0000000000000000-mapping.dmp
C:\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll
| MD5 | 5c4a26fd3d7bd21eaf316e2f48cc39a3 |
| SHA1 | 80e494e385a1b2d3581ce8803d14911af296ff7e |
| SHA256 | 6ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c |
| SHA512 | 65a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368 |
\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll
| MD5 | 5c4a26fd3d7bd21eaf316e2f48cc39a3 |
| SHA1 | 80e494e385a1b2d3581ce8803d14911af296ff7e |
| SHA256 | 6ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c |
| SHA512 | 65a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368 |
memory/1468-17-0x00000000001A0000-0x00000000001A9000-memory.dmp
memory/1468-18-0x000000006BAC0000-0x000000006BACB000-memory.dmp
memory/1468-19-0x00000000008E0000-0x00000000008E1000-memory.dmp