ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46

General

Target

ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe
Size

149KB
MD5

b02ae33e75aeceecc4c4a42db8c44925
SHA1

b8be34ee03da34ba3946161bddbbcb87998355a5
SHA256

ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46
SHA512

64b880d9a7b874ede6e88f4c0e914bede1717766a779f1f6466594cb501838f4eea03aa02e568b1008bae7c7af4a88703be143d0b09ba77acf8bb0d4e194c0ec

Score

10^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1864	gennt.exe

Deletes itself 1 IoCs

pid	Process
1864	gennt.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1260	1904	WerFault.exe	25

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Loads dropped DLL 2 IoCs

pid	Process
1492	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe
1492	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	WerFault.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\31971a4405970f0358d8\\gennt.exe\""	gennt.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1864	1492	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	24
PID 1492 wrote to memory of 1864	1492	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	24
PID 1492 wrote to memory of 1864	1492	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	24
PID 1492 wrote to memory of 1864	1492	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	24
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1864 wrote to memory of 1904	1864	gennt.exe	25
PID 1904 wrote to memory of 1260	1904	secinit.exe	28
PID 1904 wrote to memory of 1260	1904	secinit.exe	28
PID 1904 wrote to memory of 1260	1904	secinit.exe	28
PID 1904 wrote to memory of 1260	1904	secinit.exe	28
PID 1864 wrote to memory of 828	1864	gennt.exe	29
PID 1864 wrote to memory of 828	1864	gennt.exe	29
PID 1864 wrote to memory of 828	1864	gennt.exe	29
PID 1864 wrote to memory of 828	1864	gennt.exe	29

C:\Users\Admin\AppData\Local\Temp\ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe
"C:\Users\Admin\AppData\Local\Temp\ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\ProgramData\31971a4405970f0358d8\gennt.exe
  C:\ProgramData\31971a4405970f0358d8\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Modifies WinLogon for persistence
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\31971a4405970f0358d8\gennt.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 136
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\31971a4405970f0358d8}"
    3⤵
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-12-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download
memory/1260-15-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/1492-0-0x000000000054B000-0x000000000054C000-memory.dmp

Filesize
4KB

Download
memory/1492-1-0x0000000001D50000-0x0000000001D61000-memory.dmp

Filesize
68KB

Download
memory/1864-6-0x00000000004AB000-0x00000000004AC000-memory.dmp

Filesize
4KB

Download
memory/1864-7-0x0000000001D20000-0x0000000001D31000-memory.dmp

Filesize
68KB

Download
memory/1864-9-0x0000000001D20000-0x0000000001D31000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing