a5238e60cbe814a8021050ddeb4c9569eea12cf8379d689e0cd84bb83a9b8266

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

genp.exe
Size

120.4MB
MD5

0d8d495fed8e72ed25596c167725b82e
SHA1

808c2773be263ca72114836bc865ec33a67713c9
SHA256

c0b7602807caee94da179e24d12ca299ec2adbcf3c875aeb0291eccefaacca16
SHA512

41a01d383171394b9bdf21eb125893795b15b14432333949ea39d882928d62cc2f16609a4184f0b252b04ed7fc707b30b5a745ea478f1db675a1e2e7c9e044ab
SSDEEP

1572864:y1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Pasulbg8yTnbEOz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	genp.exe

Executes dropped EXE 1 IoCs

pid	Process
1888	pythonw.exe

Loads dropped DLL 2 IoCs

pid	Process
1304	cmd.exe
1888	pythonw.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2352	genp.exe
2352	genp.exe
1856	genp.exe
2352	genp.exe
2352	genp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2740	2352	genp.exe	30
PID 2352 wrote to memory of 2660	2352	genp.exe	31
PID 2352 wrote to memory of 2660	2352	genp.exe	31
PID 2352 wrote to memory of 2660	2352	genp.exe	31
PID 2352 wrote to memory of 1856	2352	genp.exe	33
PID 2352 wrote to memory of 1856	2352	genp.exe	33
PID 2352 wrote to memory of 1856	2352	genp.exe	33
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34
PID 2352 wrote to memory of 1352	2352	genp.exe	34

C:\Users\Admin\AppData\Local\Temp\genp.exe
"C:\Users\Admin\AppData\Local\Temp\genp.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\genp.exe
  "C:\Users\Admin\AppData\Local\Temp\genp.exe" --type=gpu-process --field-trial-handle=932,5306419777573523192,18438497395412771710,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=960 /prefetch:2
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe"
  2⤵
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\genp.exe
  "C:\Users\Admin\AppData\Local\Temp\genp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=932,5306419777573523192,18438497395412771710,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\genp.exe
  "C:\Users\Admin\AppData\Local\Temp\genp.exe" --type=gpu-process --field-trial-handle=932,5306419777573523192,18438497395412771710,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1132 /prefetch:2
  2⤵
  PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pythonw.exe Crypto\Util\astor.py"
  2⤵
  - Loads dropped DLL
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\pyth\pythonw.exe
    pythonw.exe Crypto\Util\astor.py
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pyth\Crypto\Util\astor.py

Filesize
197KB

MD5
b83d4cfcf19ae62f9b1675c32d9dcc57

SHA1
43c728efb25cc6617771f79a6c698ef9b18b10f9

SHA256
8bd1d6141880281ca2ab115378cc69fd44d3139ab09401286bda33072ab5ed88

SHA512
843888720da4510aa0cf9462373f872fce2d081de5ff8f9c0dd973d8799e07c3dbcf45969142d45596da2d68054832706a3c78f307be313e3ad6a578a656fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\certifi-2023.7.22.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\cryptography\hazmat\bindings\openssl\__init__.py

Filesize
180B

MD5
fce95ff49e7ad344d9381226ee6f5b90

SHA1
c00c73d5fb997fc6a8e19904b909372824304c27

SHA256
b3da0a090db2705757a0445d4b58a669fb9e4a406c2fd92f6f27e085a6ae67d6

SHA512
a1e8e1788bd96057e2dbef14e48dd5ea620ae0753dbc075d1a0397fbb7a36b1beb633d274081300914a80c95922cf6eab0f5e709b709158645e17b16583233dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\jsonschema-4.19.1.dist-info\WHEEL

Filesize
87B

MD5
c3c172be777b2014a95410712715e881

SHA1
bcefa60eddbaeea633eb25b68b386c9b7d378291

SHA256
f5006e1e183a14d5bb969a5ba05daf2956c2193573b05ca48114238e56a3ae10

SHA512
60959e71903cefac495241d68d98ef76edad8d3a2247904b2528918a4702ee332ca614a026b8e7ef8527b1a563cdccd7e4ba66a63c5ae6d2445fbd0bcef947ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pyasn1\codec\ber\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pyparsing-2.4.7.dist-info\WHEEL

Filesize
110B

MD5
d2a91f104288b412dbc67b54de94e3ac

SHA1
5132cb7d835d40a81d25a4a1d85667eb13e1a4d3

SHA256
9064fbe0b5b245466b2f85602e1ebf835d8879597ff6ef5956169dae05d95046

SHA512
facdee18e59e77aef972a5accb343a2ea9db03f79d226c5827dc4bcdb47d3937fe347cb1f0a2fc48f035643f58737c875fdf1bd935586a98c6966bfa88c7484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pyperclip-1.8.2.dist-info\WHEEL

Filesize
92B

MD5
18f1a484771c3f3a3d3b90df42acfbbe

SHA1
cab34a71bd14a5eede447eeb4cfa561e5b976a94

SHA256
c903798389a0e00c9b4639208bef72cb889010589b1909a5cfbf0f8a4e4eafe0

SHA512
3efaf71d54fc3c3102090e0d0f718909564242079de0aa92dacab91c50421f80cbf30a71136510d161caac5dc2733d00eb33a4094de8604e5ca5d307245158aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\python311.dll

Filesize
5.5MB

MD5
65e381a0b1bc05f71c139b0c7a5b8eb2

SHA1
7c4a3adf21ebcee5405288fc81fc4be75019d472

SHA256
53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

SHA512
4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pythonwin\pywin\tools\__init__.py

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\pywin32-306.dist-info\WHEEL

Filesize
102B

MD5
00a3c7a59753cb624182601a561702a8

SHA1
729ccd40e8eb812c92ea53e40ab1a8050d3cd281

SHA256
f70be13bee4d8638c3f189a6c40bd74cf417303399e745b9be49737a8a85b643

SHA512
8652ff4001f12abb53a95ae5bd97499273ee690e48fd27cb3d08a1f3b8f3f977e4b8a97ef74fa5eb07b1e945c286d1f6b1395a49052a7bfb12757f056dfb344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\urllib3-1.26.17.dist-info\WHEEL

Filesize
110B

MD5
410f359aa7fb8f75a9b456efaa7ded10

SHA1
751ef8f00944ab171bb93d1d1967442170564c82

SHA256
89896fe5f5f7e7b3d0c914f6a3ab70d5b37e61c2851472aa07f2f01cee703fe8

SHA512
e94864244a1164125b128bd6a5f85cadb6e5ca3f00935772c773c62890a42f93847142677f8b7f1238f27fec3d8d07fc9f94d34bcbb53c9c879777ac90f0199e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32\lib\afxres.py

Filesize
14KB

MD5
370beb77c36c0b2e840e6ab850fce757

SHA1
0a87a029ca417daa03d22be6eddfddbac0b54d7a

SHA256
462659f2891d1d767ea4e7a32fc1dbbd05ec9fcfa9310ecdc0351b68f4c19ed5

SHA512
4e274071ca052ca0d0ef5297d61d06914f0bfb3161843b3cdcfde5a2ea0368974fd2209732a4b00a488c84a80a5ab94ad4fd430ff1e4524c6425baa59e4da289

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32\license.txt

Filesize
1KB

MD5
f01a936bb1c9702b8425b5d4d1339a6c

SHA1
61f4d008c2d8de8d971c48888b227ecf9cfcaf1c

SHA256
113cd3cf784e586885f01f93e5df78f7c7c00b34d76cc4101e029cd2fd622113

SHA512
090adb1405c6a70dde49632e63b836756899ea75f7adc222ff879d3706096a8b69b0e7a21c575aa6d6b6d9a999c377a1e40aec76d49f3364b94de3e599610270

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32comext\axdebug\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32comext\axscript\Demos\client\ie\pycom_blowing.gif

Filesize
20KB

MD5
50bceb72abb5fa92a1b13a615288ea2e

SHA1
5c3a6324856dcbe7d1a11f3f5e440bb131551784

SHA256
b3c652073b3c75f5ac81381b6f44b8deead065c635c63771a0806e48778bafaa

SHA512
c52c9db12def0226c21105ab818db403efb666265ac745c830d66018437f8ac3e98307e94736a84bcab9ad7895b2183d6c4b9ccec0fc43517e433ac50bcaf351

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\win32comext\bits\__init__.py

Filesize
192B

MD5
3d90a8bdf51de0d7fae66fc1389e2b45

SHA1
b1d30b405f4f6fce37727c9ec19590b42de172ee

SHA256
7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508

SHA512
bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyth\wsproto-1.2.0.dist-info\WHEEL

Filesize
92B

MD5
40c30724e4d957d3b27cb3926dbb72fa

SHA1
40a2b8d62232140e022876da90b2c784970b715b

SHA256
7b0c04b9e8a8d42d977874ef4f5ee7f1d6542603afc82582b7459534b0a53fda

SHA512
1be185bcb43aa3708c16d716369158bbb6216e4bfbfa8c847baadd5adf8c23c5e8ceacde818c9b275d009ae31a9e1d3a84c3d46aaf51a0aa6251848d7defc802

Download Submit
\Users\Admin\AppData\Local\Temp\pyth\pythonw.exe

Filesize
99KB

MD5
5ce869bcfc73488486e3b73139905529

SHA1
079d1b11d192b45c79c186867d6bbc3df6058121

SHA256
6c5c3ace4470bc94848c4cfc6dc24e17599cd48f4def912a365208de6a82ccc3

SHA512
e378ca851d4e2a762fef25854b9160d6feace35d9db6665067216f087b9f1e584c1a288ac6196b81d8908d9d6290169b0d616801387433164339f73e1145f0f7

Download Submit
memory/2740-33-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download
memory/2740-1-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download