Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
11-08-2020 15:48
Static task
static1
Behavioral task
behavioral1
Sample
Electronic_Tracking_INV_#9836582365728523752.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Electronic_Tracking_INV_#9836582365728523752.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Electronic_Tracking_INV_#9836582365728523752.exe
-
Size
245KB
-
MD5
64f86981c7450dfd2c3915f213fc6720
-
SHA1
5410d0e8569f0936b32de3199e8a187d6227fc1f
-
SHA256
a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
-
SHA512
02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22
Score
10/10
Malware Config
Extracted
Family
buer
C2
https://specialhosting.ga/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\1ff6f9cacff382d10a1a\\gennt.exe\"" gennt.exe -
Buer Loader 6 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/memory/1124-0-0x0000000000100000-0x000000000010F000-memory.dmp buer behavioral1/memory/1172-1-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/1172-2-0x000000004000303B-mapping.dmp buer behavioral1/memory/1172-4-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/1380-8-0x00000000000D0000-0x00000000000DF000-memory.dmp buer behavioral1/memory/1820-10-0x000000004000303B-mapping.dmp buer -
Executes dropped EXE 2 IoCs
pid Process 1380 gennt.exe 1820 gennt.exe -
Deletes itself 1 IoCs
pid Process 1820 gennt.exe -
Loads dropped DLL 1 IoCs
pid Process 1172 electronic_tracking_inv_#9836582365728523752.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1124 set thread context of 1172 1124 Electronic_Tracking_INV_#9836582365728523752.exe 24 PID 1380 set thread context of 1820 1380 gennt.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1788 powershell.exe 1788 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1124 Electronic_Tracking_INV_#9836582365728523752.exe 1380 gennt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1788 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1124 wrote to memory of 1172 1124 Electronic_Tracking_INV_#9836582365728523752.exe 24 PID 1124 wrote to memory of 1172 1124 Electronic_Tracking_INV_#9836582365728523752.exe 24 PID 1124 wrote to memory of 1172 1124 Electronic_Tracking_INV_#9836582365728523752.exe 24 PID 1124 wrote to memory of 1172 1124 Electronic_Tracking_INV_#9836582365728523752.exe 24 PID 1124 wrote to memory of 1172 1124 Electronic_Tracking_INV_#9836582365728523752.exe 24 PID 1172 wrote to memory of 1380 1172 electronic_tracking_inv_#9836582365728523752.exe 27 PID 1172 wrote to memory of 1380 1172 electronic_tracking_inv_#9836582365728523752.exe 27 PID 1172 wrote to memory of 1380 1172 electronic_tracking_inv_#9836582365728523752.exe 27 PID 1172 wrote to memory of 1380 1172 electronic_tracking_inv_#9836582365728523752.exe 27 PID 1380 wrote to memory of 1820 1380 gennt.exe 28 PID 1380 wrote to memory of 1820 1380 gennt.exe 28 PID 1380 wrote to memory of 1820 1380 gennt.exe 28 PID 1380 wrote to memory of 1820 1380 gennt.exe 28 PID 1380 wrote to memory of 1820 1380 gennt.exe 28 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1252 1820 gennt.exe 29 PID 1820 wrote to memory of 1788 1820 gennt.exe 30 PID 1820 wrote to memory of 1788 1820 gennt.exe 30 PID 1820 wrote to memory of 1788 1820 gennt.exe 30 PID 1820 wrote to memory of 1788 1820 gennt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exeC:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exeC:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe5⤵PID:1252
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\1ff6f9cacff382d10a1a}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
-