Analysis
-
max time kernel
118s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
18-09-2020 13:41
Static task
static1
Behavioral task
behavioral1
Sample
Docum_nt_Pr_view.exe
Resource
win7
Behavioral task
behavioral2
Sample
Docum_nt_Pr_view.exe
Resource
win10v200722
General
-
Target
Docum_nt_Pr_view.exe
-
Size
709KB
-
MD5
96878fda61a76395aafa16a6150b0fe1
-
SHA1
3509a916a873351ab23bc671cce5ca9aa3299e62
-
SHA256
94ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886
-
SHA512
4e98e7b32441d270496b35c13e16ca0fedfca10e8baf8cb92a0a54fc803fb2bbfbc3417fe22467c195655821167d068a0ccde3310b45c75cada677ccea638234
Malware Config
Extracted
buer
https://165.22.76.41/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gennt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\7e1bd100aba6f2ec5a2b\\gennt.exe\"" gennt.exe -
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral2/memory/3608-0-0x0000000000710000-0x000000000071F000-memory.dmp buer behavioral2/memory/3608-1-0x0000000040000000-0x000000004000C000-memory.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 752 gennt.exe -
Deletes itself 1 IoCs
Processes:
gennt.exepid process 752 gennt.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3088 powershell.exe 3088 powershell.exe 3088 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3088 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Docum_nt_Pr_view.exegennt.exedescription pid process target process PID 3608 wrote to memory of 752 3608 Docum_nt_Pr_view.exe gennt.exe PID 3608 wrote to memory of 752 3608 Docum_nt_Pr_view.exe gennt.exe PID 3608 wrote to memory of 752 3608 Docum_nt_Pr_view.exe gennt.exe PID 752 wrote to memory of 3088 752 gennt.exe powershell.exe PID 752 wrote to memory of 3088 752 gennt.exe powershell.exe PID 752 wrote to memory of 3088 752 gennt.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Docum_nt_Pr_view.exe"C:\Users\Admin\AppData\Local\Temp\Docum_nt_Pr_view.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\ProgramData\7e1bd100aba6f2ec5a2b\gennt.exeC:\ProgramData\7e1bd100aba6f2ec5a2b\gennt.exe "C:\Users\Admin\AppData\Local\Temp\Docum_nt_Pr_view.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\7e1bd100aba6f2ec5a2b}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96878fda61a76395aafa16a6150b0fe1
SHA13509a916a873351ab23bc671cce5ca9aa3299e62
SHA25694ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886
SHA5124e98e7b32441d270496b35c13e16ca0fedfca10e8baf8cb92a0a54fc803fb2bbfbc3417fe22467c195655821167d068a0ccde3310b45c75cada677ccea638234
-
MD5
96878fda61a76395aafa16a6150b0fe1
SHA13509a916a873351ab23bc671cce5ca9aa3299e62
SHA25694ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886
SHA5124e98e7b32441d270496b35c13e16ca0fedfca10e8baf8cb92a0a54fc803fb2bbfbc3417fe22467c195655821167d068a0ccde3310b45c75cada677ccea638234