5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73

General

Target

data.bin.exe
Size

197KB
MD5

5bde9bdb9109fc4004387aad4a99efef
SHA1

003231449d62dfbe594937f1546e5b0a92fe3c46
SHA256

5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73
SHA512

dffa54aa89e62bcb69bd2b35f2402c333902e2497dac428c1964b5020716c6d8ade003013abeb6705904e95838c601106449f9e9dc62974355fb73320f0535f2

Score

10^/10

persistence

Deletes itself 1 IoCs

Processes:

gennt.exe

pid process

1676 gennt.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

gennt.exe

pid process

1676 gennt.exe

pid	process
1676	gennt.exe

pid	process
1676	gennt.exe

Drops file in Windows directory 3 IoCs

Processes:

data.bin.exegennt.exesecinit.exe

description	ioc	process
File opened for modification	C:\Windows\	data.bin.exe
File opened for modification	C:\Windows\	gennt.exe
File opened for modification	C:\Windows\	secinit.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

Winlogon Helper DLL

Modify Registry

Processes:

gennt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\a552913d669e9925a113\\gennt.exe\""	gennt.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Loads dropped DLL 2 IoCs

Processes:

data.bin.exe

pid process

1296 data.bin.exe
1296 data.bin.exe

pid	process
1296	data.bin.exe
1296	data.bin.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

data.bin.exegennt.exe

description	pid	process	target process
PID 1296 wrote to memory of 1676	1296	data.bin.exe	gennt.exe
PID 1296 wrote to memory of 1676	1296	data.bin.exe	gennt.exe
PID 1296 wrote to memory of 1676	1296	data.bin.exe	gennt.exe
PID 1296 wrote to memory of 1676	1296	data.bin.exe	gennt.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1224	1676	gennt.exe	secinit.exe
PID 1676 wrote to memory of 1820	1676	gennt.exe	cmd.exe
PID 1676 wrote to memory of 1820	1676	gennt.exe	cmd.exe
PID 1676 wrote to memory of 1820	1676	gennt.exe	cmd.exe
PID 1676 wrote to memory of 1820	1676	gennt.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

gennt.exe

pid process

1676 gennt.exe

pid	process
1676	gennt.exe

C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\a552913d669e9925a113\gennt.exe
3⤵
- Drops file in Windows directory
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\a552913d669e9925a113}"
3⤵
PID:1820