Overview

overview

10

Static

static

data.bin.exe

windows7_x64

10

data.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14/07/2020, 05:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    data.bin.exe

  • Size

    197KB

  • MD5

    5bde9bdb9109fc4004387aad4a99efef

  • SHA1

    003231449d62dfbe594937f1546e5b0a92fe3c46

  • SHA256

    5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73

  • SHA512

    dffa54aa89e62bcb69bd2b35f2402c333902e2497dac428c1964b5020716c6d8ade003013abeb6705904e95838c601106449f9e9dc62974355fb73320f0535f2

Score
10/10
persistence

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 19 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs

Processes

  • C:\Users\Admin\AppData\Local\Temp\data.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\data.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in Windows directory
    PID:3908
    • C:\ProgramData\d082df836616ecbce5f8\gennt.exe
      C:\ProgramData\d082df836616ecbce5f8\gennt.exe "C:\Users\Admin\AppData\Local\Temp\data.bin.exe" ensgJJ
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Deletes itself
      • Drops file in Windows directory
      • Modifies WinLogon for persistence
      PID:3640
      • C:\Windows\SysWOW64\secinit.exe
        C:\ProgramData\d082df836616ecbce5f8\gennt.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Drops file in Windows directory
        • Modifies WinLogon for persistence
        PID:3752
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\d082df836616ecbce5f8}"
          4⤵
            PID:572
          • C:\ProgramData\d082df836616ecbce5f8\edabaluvileqec.exe
            C:\ProgramData\d082df836616ecbce5f8\edabaluvileqec.exe
            4⤵
            • Executes dropped EXE
            PID:1040

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads