ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46

General

Target

ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe
Size

149KB
MD5

b02ae33e75aeceecc4c4a42db8c44925
SHA1

b8be34ee03da34ba3946161bddbbcb87998355a5
SHA256

ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46
SHA512

64b880d9a7b874ede6e88f4c0e914bede1717766a779f1f6466594cb501838f4eea03aa02e568b1008bae7c7af4a88703be143d0b09ba77acf8bb0d4e194c0ec

Score

10^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 2352	3916	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	72
PID 3916 wrote to memory of 2352	3916	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	72
PID 3916 wrote to memory of 2352	3916	ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe	72
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 2956	2352	gennt.exe	73
PID 2352 wrote to memory of 3888	2352	gennt.exe	76
PID 2352 wrote to memory of 3888	2352	gennt.exe	76
PID 2352 wrote to memory of 3888	2352	gennt.exe	76

Executes dropped EXE 1 IoCs

pid	Process
2352	gennt.exe

Deletes itself 1 IoCs

pid	Process
2352	gennt.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	2956	WerFault.exe	73

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3840	WerFault.exe
Token: SeBackupPrivilege	3840	WerFault.exe
Token: SeDebugPrivilege	3840	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\7d88e65552dcd26d37bf\\gennt.exe\""	gennt.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe
"C:\Users\Admin\AppData\Local\Temp\ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
  C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ea28f52a318eeba6b22f449ec42f79a9deda765e9c87c20914f6bae9ad810c46.exe" ensgJJ
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Deletes itself
  - Modifies WinLogon for persistence
  PID:2352
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 336
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\7d88e65552dcd26d37bf}"
    3⤵
    PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-5-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/2352-6-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3840-9-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3840-15-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/3916-1-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3916-0-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing