Resubmissions

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

24-07-2023 06:25

230724-g6s6laag35 10

22-07-2023 15:57

230722-tee6wabg5w 10

20-07-2023 23:19

230720-3bb5gsbf5v 10

20-07-2023 23:06

230720-23f23sba63 10

03-02-2021 11:43

210203-6bgge2nfan 10

22-11-2020 06:42

201122-6x1at779dj 10

Analysis

  • max time kernel
    21s
  • max time network
    53s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:42

Errors

Reason
Machine shutdown

General

  • Target

    Endermanch@000.exe

  • Size

    6.7MB

  • MD5

    f2b7074e1543720a9a98fda660e02688

  • SHA1

    1029492c1a12789d8af78d54adcb921e24b9e5ca

  • SHA256

    4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

  • SHA512

    73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 94 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe
    "C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe"
    1⤵
    • Enumerates connected drives
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3996
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' rename 'UR NEXT'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\one.rtf
    MD5

    6fbd6ce25307749d6e0a66ebbc0264e7

    SHA1

    faee71e2eac4c03b96aabecde91336a6510fff60

    SHA256

    e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

    SHA512

    35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

  • C:\Users\Admin\AppData\Local\Temp\rniw.exe
    MD5

    9232120b6ff11d48a90069b25aa30abc

    SHA1

    97bb45f4076083fca037eee15d001fd284e53e47

    SHA256

    70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

    SHA512

    b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

  • C:\Users\Admin\AppData\Local\Temp\text.txt
    MD5

    9037ebf0a18a1c17537832bc73739109

    SHA1

    1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

    SHA256

    38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

    SHA512

    4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

  • C:\Users\Admin\AppData\Local\Temp\windl.bat
    MD5

    a9401e260d9856d1134692759d636e92

    SHA1

    4141d3c60173741e14f36dfe41588bb2716d2867

    SHA256

    b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

    SHA512

    5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

  • memory/2696-23-0x0000000000000000-mapping.dmp
  • memory/2844-4-0x0000000000000000-mapping.dmp
  • memory/2864-10-0x0000000000000000-mapping.dmp
  • memory/2992-7-0x0000000000000000-mapping.dmp
  • memory/3108-16-0x000000000BC60000-0x000000000BC70000-memory.dmp
    Filesize

    64KB

  • memory/3108-0-0x00000000739A0000-0x000000007408E000-memory.dmp
    Filesize

    6.9MB

  • memory/3108-11-0x000000000AD80000-0x000000000AD90000-memory.dmp
    Filesize

    64KB

  • memory/3108-12-0x000000000AD80000-0x000000000AD90000-memory.dmp
    Filesize

    64KB

  • memory/3108-14-0x000000000AD80000-0x000000000AD90000-memory.dmp
    Filesize

    64KB

  • memory/3108-13-0x000000000AD80000-0x000000000AD90000-memory.dmp
    Filesize

    64KB

  • memory/3108-15-0x000000000BC60000-0x000000000BC70000-memory.dmp
    Filesize

    64KB

  • memory/3108-8-0x000000000AD90000-0x000000000AD91000-memory.dmp
    Filesize

    4KB

  • memory/3108-19-0x000000000BC60000-0x000000000BC70000-memory.dmp
    Filesize

    64KB

  • memory/3108-18-0x000000000AD80000-0x000000000AD90000-memory.dmp
    Filesize

    64KB

  • memory/3108-17-0x000000000AD80000-0x000000000AD90000-memory.dmp
    Filesize

    64KB

  • memory/3108-1-0x0000000000B70000-0x0000000000B71000-memory.dmp
    Filesize

    4KB

  • memory/3108-3-0x0000000006000000-0x0000000006001000-memory.dmp
    Filesize

    4KB

  • memory/3996-6-0x0000000000000000-mapping.dmp
  • memory/4068-20-0x0000000000000000-mapping.dmp