Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
11-08-2020 15:48
Static task
static1
Behavioral task
behavioral1
Sample
Electronic_Tracking_INV_#9836582365728523752.exe
Resource
win7
Behavioral task
behavioral2
Sample
Electronic_Tracking_INV_#9836582365728523752.exe
Resource
win10v200722
General
-
Target
Electronic_Tracking_INV_#9836582365728523752.exe
-
Size
245KB
-
MD5
64f86981c7450dfd2c3915f213fc6720
-
SHA1
5410d0e8569f0936b32de3199e8a187d6227fc1f
-
SHA256
a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
-
SHA512
02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22
Malware Config
Extracted
buer
https://specialhosting.ga/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\7d88e65552dcd26d37bf\\gennt.exe\"" gennt.exe -
Buer Loader 6 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral2/memory/3908-0-0x0000000000F70000-0x0000000000F7F000-memory.dmp buer behavioral2/memory/3704-1-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/3704-2-0x000000004000303B-mapping.dmp buer behavioral2/memory/3704-4-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/2420-8-0x00000000005D0000-0x00000000005DF000-memory.dmp buer behavioral2/memory/2856-10-0x000000004000303B-mapping.dmp buer -
Executes dropped EXE 2 IoCs
Processes:
gennt.exegennt.exepid Process 2420 gennt.exe 2856 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid Process 2856 gennt.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Electronic_Tracking_INV_#9836582365728523752.exegennt.exedescription pid Process procid_target PID 3908 set thread context of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 2420 set thread context of 2856 2420 gennt.exe 74 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3820 2568 WerFault.exe 75 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid Process 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Electronic_Tracking_INV_#9836582365728523752.exegennt.exepid Process 3908 Electronic_Tracking_INV_#9836582365728523752.exe 2420 gennt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid Process Token: SeRestorePrivilege 3820 WerFault.exe Token: SeBackupPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Electronic_Tracking_INV_#9836582365728523752.exeelectronic_tracking_inv_#9836582365728523752.exegennt.exegennt.exedescription pid Process procid_target PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3704 wrote to memory of 2420 3704 electronic_tracking_inv_#9836582365728523752.exe 73 PID 3704 wrote to memory of 2420 3704 electronic_tracking_inv_#9836582365728523752.exe 73 PID 3704 wrote to memory of 2420 3704 electronic_tracking_inv_#9836582365728523752.exe 73 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\ProgramData\7d88e65552dcd26d37bf\gennt.exeC:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\ProgramData\7d88e65552dcd26d37bf\gennt.exeC:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\7d88e65552dcd26d37bf\gennt.exe5⤵PID:2568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 3326⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
64f86981c7450dfd2c3915f213fc6720
SHA15410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA51202e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22
-
MD5
64f86981c7450dfd2c3915f213fc6720
SHA15410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA51202e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22
-
MD5
64f86981c7450dfd2c3915f213fc6720
SHA15410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA51202e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22