Analysis Overview
SHA256
f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310
Threat Level: Known bad
The file 214053f.exe was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
MetaSploit
Buer
Modifies WinLogon for persistence
Buer Loader
Executes dropped EXE
Deletes itself
Loads dropped DLL
Enumerates connected drives
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-07-16 20:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-07-16 20:13
Reported
2020-07-16 20:43
Platform
win7
Max time kernel
1800s
Max time network
1806s
Command Line
Signatures
Buer
Cobaltstrike
MetaSploit
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\e5ba68ea51572fa02d86\\gennt.exe\"" | C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\e5ba68ea51572fa02d86\\gennt.exe\"" | C:\Windows\SysWOW64\secinit.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\214053f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\214053f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\secinit.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\secinit.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1988 set thread context of 916 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\syswow64\rundll32.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\secinit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secinit.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Users\Admin\AppData\Local\Temp\214053f.exe
"C:\Users\Admin\AppData\Local\Temp\214053f.exe"
C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe
C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe "C:\Users\Admin\AppData\Local\Temp\214053f.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\e5ba68ea51572fa02d86}"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\ProgramData\e5ba68ea51572fa02d86\dupihaiqan.dll"
C:\Windows\system32\rundll32.exe
C:\Windows\sysnative\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\sysnative\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\sysnative\rundll32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net group "enterprise admins" /domain
C:\Windows\SysWOW64\net.exe
net group "enterprise admins" /domain
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "enterprise admins" /domain
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C net group "domain admins" /domain
C:\Windows\SysWOW64\net.exe
net group "domain admins" /domain
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain admins" /domain
C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:8080 | 162.244.81.87 | tcp |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 162.244.81.87:443 | tcp | |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 31.14.40.55:80 | 31.14.40.55 | tcp |
| N/A | 127.0.0.1:11871 | tcp | |
| N/A | 10.7.0.14:445 | tcp |
Files
\ProgramData\e5ba68ea51572fa02d86\gennt.exe
| MD5 | 1f4ce9581d372c6297794233cbeca1ea |
| SHA1 | c9661c46db129433e350d1ca3fd0ebd79b190f88 |
| SHA256 | f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310 |
| SHA512 | 571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f |
\ProgramData\e5ba68ea51572fa02d86\gennt.exe
| MD5 | 1f4ce9581d372c6297794233cbeca1ea |
| SHA1 | c9661c46db129433e350d1ca3fd0ebd79b190f88 |
| SHA256 | f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310 |
| SHA512 | 571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f |
memory/1792-2-0x0000000000000000-mapping.dmp
C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe
| MD5 | 1f4ce9581d372c6297794233cbeca1ea |
| SHA1 | c9661c46db129433e350d1ca3fd0ebd79b190f88 |
| SHA256 | f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310 |
| SHA512 | 571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f |
C:\ProgramData\e5ba68ea51572fa02d86\gennt.exe
| MD5 | 1f4ce9581d372c6297794233cbeca1ea |
| SHA1 | c9661c46db129433e350d1ca3fd0ebd79b190f88 |
| SHA256 | f23db00ee052d07bf66ce6aa644ead488e182dfb21c4c5c42bb9677db839a310 |
| SHA512 | 571c4a811586bf26b3de8cbcc59be0b27f4fb58826844e8ef73dcf8c61af8c918dd8c06f42339867b4877f00ab11e8ec8d1901afbde57e967748ccd23425447f |
memory/1764-5-0x0000000000000000-mapping.dmp
memory/1128-6-0x0000000000000000-mapping.dmp
memory/1988-7-0x0000000000000000-mapping.dmp
C:\ProgramData\e5ba68ea51572fa02d86\dupihaiqan.dll
| MD5 | 5c4a26fd3d7bd21eaf316e2f48cc39a3 |
| SHA1 | 80e494e385a1b2d3581ce8803d14911af296ff7e |
| SHA256 | 6ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c |
| SHA512 | 65a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368 |
\ProgramData\e5ba68ea51572fa02d86\dupihaiqan.dll
| MD5 | 5c4a26fd3d7bd21eaf316e2f48cc39a3 |
| SHA1 | 80e494e385a1b2d3581ce8803d14911af296ff7e |
| SHA256 | 6ff57b1138bfc48412a5b0e87c302ff0ac01c173e8937f1eb5b833c504aa902c |
| SHA512 | 65a81a712da70a06abc7e7cb6d0c6b38a3133406245db641b8038cbd28ed4a86c4ebbb0098784e223c3268933cb6e860563b9a80c67c5a9deaef64163ec1a368 |
memory/1988-10-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1988-11-0x000000006BAC0000-0x000000006BACB000-memory.dmp
memory/1988-12-0x0000000000890000-0x0000000000891000-memory.dmp
memory/1460-13-0x0000000000000000-mapping.dmp
memory/1948-14-0x0000000000000000-mapping.dmp
memory/1856-15-0x0000000000000000-mapping.dmp
memory/1856-16-0x00000000002DFFF0-0x00000000002E2BF0-disk.dmp
memory/1856-18-0x0000736563690000-0x0000736563690000-disk.dmp
memory/1576-19-0x0000000000000000-mapping.dmp
memory/1076-20-0x0000000000000000-mapping.dmp
memory/1968-21-0x0000000000000000-mapping.dmp
memory/1716-22-0x0000000000000000-mapping.dmp
memory/1916-23-0x0000000000000000-mapping.dmp
memory/2008-24-0x0000000000000000-mapping.dmp
memory/916-25-0x0000000000090000-0x00000000000A3000-memory.dmp
memory/916-26-0x0000000000090000-mapping.dmp