Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
14-07-2020 05:23
Static task
static1
Behavioral task
behavioral1
Sample
data.bin.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
data.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
data.bin.exe
-
Size
197KB
-
MD5
5bde9bdb9109fc4004387aad4a99efef
-
SHA1
003231449d62dfbe594937f1546e5b0a92fe3c46
-
SHA256
5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73
-
SHA512
dffa54aa89e62bcb69bd2b35f2402c333902e2497dac428c1964b5020716c6d8ade003013abeb6705904e95838c601106449f9e9dc62974355fb73320f0535f2
Score
10/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
gennt.exepid process 1676 gennt.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
gennt.exepid process 1676 gennt.exe -
Drops file in Windows directory 3 IoCs
Processes:
data.bin.exegennt.exesecinit.exedescription ioc process File opened for modification C:\Windows\ data.bin.exe File opened for modification C:\Windows\ gennt.exe File opened for modification C:\Windows\ secinit.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\a552913d669e9925a113\\gennt.exe\"" gennt.exe -
Enumerates connected drives 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
data.bin.exepid process 1296 data.bin.exe 1296 data.bin.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
data.bin.exegennt.exedescription pid process target process PID 1296 wrote to memory of 1676 1296 data.bin.exe gennt.exe PID 1296 wrote to memory of 1676 1296 data.bin.exe gennt.exe PID 1296 wrote to memory of 1676 1296 data.bin.exe gennt.exe PID 1296 wrote to memory of 1676 1296 data.bin.exe gennt.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1224 1676 gennt.exe secinit.exe PID 1676 wrote to memory of 1820 1676 gennt.exe cmd.exe PID 1676 wrote to memory of 1820 1676 gennt.exe cmd.exe PID 1676 wrote to memory of 1820 1676 gennt.exe cmd.exe PID 1676 wrote to memory of 1820 1676 gennt.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 1676 gennt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\data.bin.exe"C:\Users\Admin\AppData\Local\Temp\data.bin.exe"1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\ProgramData\a552913d669e9925a113\gennt.exeC:\ProgramData\a552913d669e9925a113\gennt.exe "C:\Users\Admin\AppData\Local\Temp\data.bin.exe" ensgJJ2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\a552913d669e9925a113\gennt.exe3⤵
- Drops file in Windows directory
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\a552913d669e9925a113}"3⤵PID:1820