Analysis
-
max time kernel
1800s -
max time network
1806s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 20:13
Static task
static1
Behavioral task
behavioral1
Sample
214053f.exe
Resource
win7
General
-
Target
214053f.exe
-
Size
38KB
-
MD5
1f4ce9581d372c6297794233cbeca1ea
-
SHA1
c9661c46db129433e350d1ca3fd0ebd79b190f88
-
SHA256
f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310
-
SHA512
571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Extracted
metasploit
windows/download_exec
http://31.14.40.55:80/YRDm
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
gennt.exesecinit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\e5ba68ea51572fa02d86\\gennt.exe\"" gennt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\e5ba68ea51572fa02d86\\gennt.exe\"" secinit.exe -
Buer Loader 5 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule \ProgramData\e5ba68ea51572fa02d86\gennt.exe buer \ProgramData\e5ba68ea51572fa02d86\gennt.exe buer C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe buer C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe buer behavioral1/memory/1764-5-0x0000000000000000-mapping.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 1792 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 1792 gennt.exe -
Loads dropped DLL 3 IoCs
Processes:
214053f.exeregsvr32.exepid process 608 214053f.exe 608 214053f.exe 1988 regsvr32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
secinit.exedescription ioc process File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\J: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\S: secinit.exe File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\M: secinit.exe File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\R: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\X: secinit.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1988 set thread context of 916 1988 regsvr32.exe rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
secinit.exerundll32.exerundll32.exepid process 1764 secinit.exe 1764 secinit.exe 1460 rundll32.exe 1948 rundll32.exe 1948 rundll32.exe 1948 rundll32.exe 1948 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exerundll32.exedescription pid process Token: SeDebugPrivilege 1460 rundll32.exe Token: SeDebugPrivilege 1948 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
214053f.exegennt.exesecinit.exeregsvr32.exerundll32.exelsass.execmd.exenet.exedescription pid process target process PID 608 wrote to memory of 1792 608 214053f.exe gennt.exe PID 608 wrote to memory of 1792 608 214053f.exe gennt.exe PID 608 wrote to memory of 1792 608 214053f.exe gennt.exe PID 608 wrote to memory of 1792 608 214053f.exe gennt.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1792 wrote to memory of 1764 1792 gennt.exe secinit.exe PID 1764 wrote to memory of 1128 1764 secinit.exe cmd.exe PID 1764 wrote to memory of 1128 1764 secinit.exe cmd.exe PID 1764 wrote to memory of 1128 1764 secinit.exe cmd.exe PID 1764 wrote to memory of 1128 1764 secinit.exe cmd.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1764 wrote to memory of 1988 1764 secinit.exe regsvr32.exe PID 1988 wrote to memory of 1460 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1460 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1460 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1460 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1460 1988 regsvr32.exe rundll32.exe PID 1460 wrote to memory of 476 1460 rundll32.exe lsass.exe PID 1460 wrote to memory of 476 1460 rundll32.exe lsass.exe PID 1988 wrote to memory of 1948 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1948 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1948 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1948 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1948 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1856 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1856 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1856 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1856 1988 regsvr32.exe rundll32.exe PID 1988 wrote to memory of 1856 1988 regsvr32.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 476 wrote to memory of 1856 476 lsass.exe rundll32.exe PID 1988 wrote to memory of 1576 1988 regsvr32.exe cmd.exe PID 1988 wrote to memory of 1576 1988 regsvr32.exe cmd.exe PID 1988 wrote to memory of 1576 1988 regsvr32.exe cmd.exe PID 1988 wrote to memory of 1576 1988 regsvr32.exe cmd.exe PID 1576 wrote to memory of 1076 1576 cmd.exe net.exe PID 1576 wrote to memory of 1076 1576 cmd.exe net.exe PID 1576 wrote to memory of 1076 1576 cmd.exe net.exe PID 1576 wrote to memory of 1076 1576 cmd.exe net.exe PID 1076 wrote to memory of 1968 1076 net.exe net1.exe PID 1076 wrote to memory of 1968 1076 net.exe net1.exe PID 1076 wrote to memory of 1968 1076 net.exe net1.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:476
-
C:\Users\Admin\AppData\Local\Temp\214053f.exe"C:\Users\Admin\AppData\Local\Temp\214053f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\ProgramData\e5ba68ea51572fa02d86\gennt.exeC:\ProgramData\e5ba68ea51572fa02d86\gennt.exe "C:\Users\Admin\AppData\Local\Temp\214053f.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\e5ba68ea51572fa02d86\gennt.exe3⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\e5ba68ea51572fa02d86}"4⤵PID:1128
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\ProgramData\e5ba68ea51572fa02d86\dupihaiqan.dll"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\rundll32.exeC:\Windows\sysnative\rundll32.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\rundll32.exeC:\Windows\sysnative\rundll32.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\system32\rundll32.exeC:\Windows\sysnative\rundll32.exe5⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net group "enterprise admins" /domain5⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\net.exenet group "enterprise admins" /domain6⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "enterprise admins" /domain7⤵PID:1968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net group "domain admins" /domain5⤵PID:1716
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain6⤵PID:1916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain7⤵PID:2008
-
C:\Windows\syswow64\rundll32.exeC:\Windows\syswow64\rundll32.exe5⤵PID:916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5c4a26fd3d7bd21eaf316e2f48cc39a3
SHA180e494e385a1b2d3581ce8803d14911af296ff7e
SHA2566ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c
SHA51265a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368
-
MD5
1f4ce9581d372c6297794233cbeca1ea
SHA1c9661c46db129433e350d1ca3fd0ebd79b190f88
SHA256f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310
SHA512571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f
-
MD5
1f4ce9581d372c6297794233cbeca1ea
SHA1c9661c46db129433e350d1ca3fd0ebd79b190f88
SHA256f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310
SHA512571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f
-
MD5
5c4a26fd3d7bd21eaf316e2f48cc39a3
SHA180e494e385a1b2d3581ce8803d14911af296ff7e
SHA2566ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c
SHA51265a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368
-
MD5
1f4ce9581d372c6297794233cbeca1ea
SHA1c9661c46db129433e350d1ca3fd0ebd79b190f88
SHA256f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310
SHA512571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f
-
MD5
1f4ce9581d372c6297794233cbeca1ea
SHA1c9661c46db129433e350d1ca3fd0ebd79b190f88
SHA256f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310
SHA512571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f