Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
11-08-2020 15:48
Static task
static1
Behavioral task
behavioral1
Sample
Electronic_Tracking_INV_#9836582365728523752.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Electronic_Tracking_INV_#9836582365728523752.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Electronic_Tracking_INV_#9836582365728523752.exe
-
Size
245KB
-
MD5
64f86981c7450dfd2c3915f213fc6720
-
SHA1
5410d0e8569f0936b32de3199e8a187d6227fc1f
-
SHA256
a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
-
SHA512
02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22
Score
10/10
Malware Config
Extracted
Family
buer
C2
https://specialhosting.ga/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\7d88e65552dcd26d37bf\\gennt.exe\"" gennt.exe -
Buer Loader 6 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral2/memory/3908-0-0x0000000000F70000-0x0000000000F7F000-memory.dmp buer behavioral2/memory/3704-1-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/3704-2-0x000000004000303B-mapping.dmp buer behavioral2/memory/3704-4-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/2420-8-0x00000000005D0000-0x00000000005DF000-memory.dmp buer behavioral2/memory/2856-10-0x000000004000303B-mapping.dmp buer -
Executes dropped EXE 2 IoCs
pid Process 2420 gennt.exe 2856 gennt.exe -
Deletes itself 1 IoCs
pid Process 2856 gennt.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3908 set thread context of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 2420 set thread context of 2856 2420 gennt.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 3820 2568 WerFault.exe 75 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe 3820 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3908 Electronic_Tracking_INV_#9836582365728523752.exe 2420 gennt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3820 WerFault.exe Token: SeBackupPrivilege 3820 WerFault.exe Token: SeDebugPrivilege 3820 WerFault.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3908 wrote to memory of 3704 3908 Electronic_Tracking_INV_#9836582365728523752.exe 66 PID 3704 wrote to memory of 2420 3704 electronic_tracking_inv_#9836582365728523752.exe 73 PID 3704 wrote to memory of 2420 3704 electronic_tracking_inv_#9836582365728523752.exe 73 PID 3704 wrote to memory of 2420 3704 electronic_tracking_inv_#9836582365728523752.exe 73 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2420 wrote to memory of 2856 2420 gennt.exe 74 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75 PID 2856 wrote to memory of 2568 2856 gennt.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\ProgramData\7d88e65552dcd26d37bf\gennt.exeC:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\ProgramData\7d88e65552dcd26d37bf\gennt.exeC:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\7d88e65552dcd26d37bf\gennt.exe5⤵PID:2568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 3326⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
-
-